OpenVPN cannot reach remote network

Bly

Hi all,
I'd like to pinpoint which I am missing on a site-to-site OpenVPN I am running, here the situation:

• the tunnel is UP and the two firewalls are pinging each other on 192.168.222.0/27 (I am 1, other side is 2)
• my local net is 192.168.122.0/27
• remote network is 192.168.1.96/27
• one pc in my lan has ip 192.168.122.30 (it can ping 192.168.222.2)
• my pfsense has ip 192.168.165.210/24 and a virtual IP 192.168.122.29/27
• the openvpn interface is not assigned
• the relevant routes that I see on my firewall are:
  192.168.1.96/27 192.168.222.2 UGS 24 1500 ovpns4
  192.168.222.0/27 link#17 U 22 1500 ovpns4
  192.168.222.1 link#10 UHS 23 16384 lo0
  192.168.122.0/27 link#2 U 14 1500 mvneta1
  192.168.122.29 link#10 UHS 7 16384 lo0
• one floating rule for openvpn interface allows all on IPV4*
• 4 rules for openvpn interface allowing all on IPV4* on both directions for the subnets 192.168.1.96/27 and 192.168.222.0/27
• the last rule on openvpn interface is a "block all" with logging enabled to see in logs if something goes there (did see no logs for the dropped pings)
• the remote site can ping my pc on 192.168.122.30

My problem is: I cannot ping the remote site to 192.168.1.110
What I checked:
looking at the packet capture wan side filtered to the remote firewall wan ip, I can see:

1. the ping packets coming back and forth when I ping 192.168.222.2 from 192.168.122.30
2. nothing comes out the wan when I ping the remote network 192.168.1.110 from 192.168.122.30, so I suppose its me that is dropping/blocking the ping to go thru the tunnel

Any hint on which checks I have to do is appreciated!

viragomann

@Bly
Are you missing the client specific override?

Bly

@viragomann Which override is missing? Local and remote network are already set in both firewalls, and client override works on the remote firewall, as I am the server in this case.

And, it is me dropping the packets to the other side but only the ones directed to the 192.168.1.96/27 subnet and logs (so far) don't show me where it happens

Bly

@Bly

I see the ping is allowed to the openvpn but it doesn't get transmitted over the tunnel I wonder which setting is not allowing it to pass.
This log comes from the floating rule.

viragomann

@Bly
The Client Specific Override (VPN > OpenVPN > Client Specific Overrides) is needed on the server to tell OpenVPN to which IP it has to route the client sides subnets.

It is needed as of a /29 tunnel network, even if only a single client is connected.

Bly

@viragomann I did added the following for the tunnel:

It seems not enough, as still packets to 192.168.1.100 are dropped.
192.168.222.1 (me) and 192.168.222.2 (remote) can both be pinged from 192.168.122.30
Do may I need add also the subnets in both local and remote overrides? I thought it not necessary as they are in the openvpn settings

viragomann

@Bly said in OpenVPN cannot reach remote network:

Do may I need add also the subnets in both local and remote overrides?

Yes. It is needed in the server setting for pfSense to add routes to the OpenVPN. In the CSO it is required for inside OpenVPN routing.

For the CSO tunnel network it's recommended to use a possibly high IP out of the tunnel

Bly

@viragomann I did found out what it was wrong.
The error was in front of my face all the time and I did not were seeing it.

I have to put in IPv4 networks BOTH networks not only the one on my side...
Thanks a lot for let me see it!