OpenVPN site to site not working both ways

Pablomdli · Nov 24, 2023, 9:12 AM

Hi, for a project to a class i have to build a VPN tunnel using OpenVPN between two offices using pfSense.
I've followed this manual and i've also had to make the following rule on NAT Outbound
login-to-view
I made the same rule on both firewalls but it only works from office2 to ofice1.
In office1 i have two servers. One for remote access (that i have to make for the project) and the site to site server as well as a Client Specific Override.
In office2 i have a OpenVPN client that connect to the server.
LAN_Office2 can ping LAN_Office1 but LAN_Office1 can't ping LAN_Office2

I've tried to make a client on office1 and connect it to the tunnel aswell but it doesn't solve the issue. I've also made rule to access all trafic as the first rule of every interface rule table in case the firewall was blocking conexions.

Since this is a project to school i don't mind sharing whatever you want since it's all running on virtual machines.

greenlight · Nov 24, 2023, 10:14 AM

@Pablomdli I'm sorry, unfortunately I couldn't understand your system. Could you draw a network diagram?

https://products.apose.app/diagram/network

You can use this link. Seeing which pfsense is in which location, which device is the server and which device is the client will be more useful in understanding the problem.

Pablomdli · Nov 24, 2023, 10:25 AM

@greenlight Hi yes, i made one in draw.io for class. ![Esquema_Rede.drawio.png]login-to-view
This diagram has more things that i was required to do before all this, like a Web Cluster and another VPN tunnel (But that one is a Remote Access tunnel)
The weird "X" are supposed to be servers, i don't know what it's like that when downloading the image. The important part would be here
login-to-view

What i want is this tunnel site to site to allow office#1 and office#2 to communicate without needing NATs.
It kinda works since from Office#2 LAN i can ping 192.168.57.2 (one of Office#1 LAN MV) but i can't ping back from office#1 to office#2.

greenlight · Nov 24, 2023, 10:43 AM

@Pablomdli the office 1 is the openvpn server and office 2 is client?

Pablomdli · Nov 24, 2023, 10:44 AM

@greenlight Yes it is

greenlight · Nov 24, 2023, 10:47 AM

@Pablomdli I am writing this answer purely as an estimate, but the data flow is configured from the client device to the server. Can you install an openvpn server on Office 2 and try connecting the Office 1 device as a client? maybe this will solve your problem.

Pablomdli · Nov 24, 2023, 11:04 AM

@greenlight I Thought of doing that if i didn't find a solution because maybe it isn't the solution the teacher wants (i already emailed them asking but don't have an awsner yet).
I also don't know if i can have two servers on the same Tunnel IP giving addresses on the same subnet addresses.

viragomann · Nov 24, 2023, 1:01 PM

@Pablomdli
Are both VPN endpoint running on the respective internet gateway?

Why did you configure the NAT rules?

Why did you configure the server and the CSO?

Is the CSO applied properly? Set the servers logging verbosity level to 4 and check the logs after reconnecting.

Pablomdli · Nov 24, 2023, 1:01 PM

@viragomann @greenlight

Okay i found the error, i had the two LANs addresses on the CSO Ipv4 Remote Network/s because i missread what it was. Now they can comunicate perfectly. The only weird things is that it gives the ip 10.0.8.0 to de office#2 openvpn client
login-to-view
Wich i'm not completly sure if it's right or wrong...

The machines can ping eachother so i guess that's a good thing
login-to-view
login-to-view

viragomann · Nov 24, 2023, 1:21 PM

@Pablomdli said in OpenVPN site to site not working both ways:

The only weird things is that it gives the ip 10.0.8.0 to de office#2 openvpn client

So I'd suspect, that you stated this IP in the CSO.
You should enter an IP out of the tunnel network there, but it have to be one from the second upwards.