Fail to route internet traffic from OpenVPN server side to CLIENT side

Upper Deck

Hi there,

I have two pfSense boxes with site-to-site OpenVPN configured. Now server and clinet can ping each other and both side DNS works locally or remotely. However, I can't route internet traffic from server side to client side.
I've already set:
Server side lan rules "pass all traffic via OpenVPN gateway";
Server side lan ip addresses to client's Firewall/NAT/Outbound;
"Allow All" rules under firewall/OpenVPN and firewall/OpenVPN interface both side;

No luck, server side lan devices still can not get internet acess via OpenVPN client side.

Any help would be appreciated.

U.D.

Upper Deck

Update: if OpenVPN server's "IPv4 Tunnel Network" set to /30, it worked. I have to use /24, the remote internet access is down.

viragomann

@upper-deck
That is an expected behavior.
If you have a bigger tunnel subnet than a /30 the client is not unique, because there are multiple client connections possible and hence the server cannot route packets to him without a adding client specific override.

Upper Deck

@viragomann said in Fail to route internet traffic from OpenVPN server side to CLIENT side:

client specific override

client specific override is configured

viragomann

@upper-deck
Is the common name this one you've stated in the clients certificate?
...CA doesn't sound like a client at all.

Also consider that you have to enter the client side networks into the server configs "Remote networks" box as well.

Upper Deck

@viragomann

the common name is "Site2Site_Client_CA"

/ Existing Certificate / Subject ST=, O=, L=Macau, CN=Site2Site_Client_CA, C=**

client side networks is set into the server config

viragomann

@upper-deck
Seems to match.

So check the OpenVPN log on the server. There should be an entry, when the client gets determined and the CSO is applied.

Upper Deck

local works normal. internet still can not be access

viragomann

@upper-deck
So the CSO is working now, I guess.

If you didn't set "redirect gateway" on either side and only stated the networks as seen in the screenshot, this should not affect internet traffic at all.

Upper Deck

@viragomann

There is no "Redirect IPv4 Gateway" option on the client side. Would you please tell me how to do that at the client side? Any suggestion would be appreciated.

viragomann

@upper-deck
As I got you, internet access on the client works well without the VPN, but doesn't if it is connected. So obviously the client set the default route to the server.

The server can push this route to the client if you have "redirect gateway checked. But the option exists on the server only in recent pfSense versions.
On the client you can check "don't pull routes" to avoid that the default route is set.