Site-to-Site OpenVPN: Ping Works HQ Firewall to DC Client, but Not DC Firewall to HQ Firewall
- 
 Hello everyone, I’m encountering an issue with my site-to-site OpenVPN tunnel between two pfSense appliances. I can successfully ping from the HQ firewall to devices on the DC LAN, but I cannot ping from the DC firewall to the HQ firewall. Here are the details of my setup and troubleshooting efforts: Setup Overview Data Center (DC) 
 WAN IP: 199.119.XX.XXX (partially redacted for security).
 LAN Subnet: 192.168.1.0/24pfSense Role: OpenVPN Server 
 IPv4 Tunnel Network: 192.168.127.0/24
 IPv4 Local Networks: 192.168.1.0/24
 IPv4 Remote Networks: 192.168.11.0/24, 192.168.5.0/24Headquarters (HQ) 
 LAN Subnets: 192.168.11.0/24, 192.168.5.0/24
 pfSense Role: OpenVPN Client
 IPv4 Local Networks: 192.168.11.0/24, 192.168.5.0/24
 IPv4 Remote Networks: 192.168.1.0/24What Works 
 From the HQ firewall, I can ping devices on the DC LAN (192.168.1.0/24).What Doesn't Work 
 From the DC firewall, I cannot ping the HQ firewall’s LAN interface (192.168.11.1 or 192.168.5.1).
 Traceroutes from the DC firewall to the HQ firewall fail after the OpenVPN tunnel.Troubleshooting Done 
 Routing:
 Confirmed both sides have correct routes for remote subnets via the OpenVPN tunnel.
 Firewall Rules:
 Verified rules on both sides allow traffic in both directions for the respective subnets.NAT: 
 "Do Not NAT" rules are configured for all VPN traffic.State Tables: 
 Cleared state tables and rebooted both firewalls.Questions 
 Could this be a routing issue related to the WAN IP (199.119.XX.XXX) on the DC firewall?
 How can I confirm if the issue is related to asymmetric routing or return traffic being blocked?
 Should I enable OpenVPN debugging or capture additional logs to trace the issue?
 Any advice or insights would be greatly appreciated. Thank you!
- 
 @PlanetToysUtah 
 Since you didn't mention the client specific override, I guess, you're missing it.
- 
 @viragomann do i need that? 
- 
 @PlanetToysUtah 
 If there is only a single client connecting to the server AND you can forgo to use DCO, you can set the tunnel network mask to /30 and it will work without a CSO.
- 
 @viragomann i head if it's in /30 that isn't good for site-site VPN's also i added a DCO and it still didn't work 
- 
 @PlanetToysUtah said in Site-to-Site OpenVPN: Ping Works HQ Firewall to DC Client, but Not DC Firewall to HQ Firewall: i head if it's in /30 that isn't good for site-site VPN's also i added a DCO and it still didn't work ? 
 DCO is a check box in the the settings of pfSense+.
 And it's not compatible with a /30 tunnel mask.So what did you actually? 
- 
 ah ok i have pfsense CE i got the ping from HQ to DC working but not DC to HQ i can ping 192.168.11.1 from DC but no clients on the next hop over at 192.168.5.0/24 
- 
 @PlanetToysUtah 
 Also i did CSO (Clinet Specific Overrides) and added the correct routes and that worked. but still having issues with dc to HQ 5.0/24 network
- 
 @PlanetToysUtah 
 In the CSO you have to state the client sides networks at "remote networks" and once again in the server settings.If it doesn't work either, set the servers log verbosity level to 4. Then reconnect the client and check the logs for regarding entries. 
 The server then logs if the CSO was applied and if the routes for the client networks were added inside OpenVPN.
- 
 @viragomann I got all that fixed now the DC VM's can't ping any local system except for 192.168.11.1 but they can't reach 192.168.5.0/24 
- 
 @viragomann You have any idea why I still can't ping from DC to HQ LAN? 
- 
 @PlanetToysUtah 
 Is the CSO applied??
 Please show the log.