Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn site-to-site problem

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    3
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      g33k
      last edited by

      hye,

      i have some little problem here,

      the problem is like this, i have 2 pfsense box which connect site to site using openvpn. All the computer from hq be able to ping the site lan gateway, which is 10.0.12.1, but not be able to ping the computer inside  the lan Sites. And same thing happen on the Site side also, they cannot ping the lan from the Hq, plus the worse thing is they cant even ping the Lan Gateway (10.0.0.1)… pls, can someone assist me on this thing.

      the brief config as follow:

      HQ office:

      WAN ip address: 102.XX.XXX.XX
      Lan subnet: 10.0.0.0/22
      Lan Gateway 10.0.0.1

      OVPN config (server)
      protocol: tcp
      dynamic ip: tick
      local port: 1194
      adress pool: 10.0.10.0/22
      remote network: 10.0.12.0/16
      authentication method: Shared Key

      Site office:

      wan address: dynamic
      lan subnet: 10.0.12.0/16
      lan gateway: 10.0.12.1
      OVPN config (client)
      protocol: tcp
      server address: 102.XX.XXX.XX
      server port: 1194
      interface ip: 10.0.10.0/22
      remote network: 10.0.0.0/22
      cryptography: shared key

      the tun0 for both site is like this

      HQ office is like this:
      tun0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
             inet6 fe80::209:6bff:feed:b1cc%tun0 prefixlen 64 scopeid 0x1a
             inet 10.0.8.1 –> 10.0.8.2 netmask 0xffffffff
             Opened by PID 2118

      Site office is like this:
      tun0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
             inet6 fe80::211:25ff:fe1b:f1ea%tun0 prefixlen 64 scopeid 0x9
             inet 10.0.8.2 –> 10.0.8.1 netmask 0xffffffff
             Opened by PID 4681</up,pointopoint,running,multicast></up,pointopoint,running,multicast>

      It no use crying over spilt milk.

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        You have overlapping subnets, 10.0.12.0/16 (remote network in your server configuration) is in fact the whole 10.0.0.0/16 subnet 10.0.0.0 - 10.0.255.255. Also I would use UDP as transport for any VPN tunnel, TCP is inefficient for the job.

        1 Reply Last reply Reply Quote 0
        • G
          g33k
          last edited by

          i have one another thing to ask, is it possible if i change the configuration into something like this?

          HQ office:
          –-----------
          WAN ip address: 102.XX.XXX.XX
          Lan subnet: 10.0.0.0/16
          Lan Gateway 10.0.0.1

          OVPN config (server)
          protocol: udp
          dynamic ip: tick
          local port: 1194
          adress pool: 10.10.0.0/16
          remote network: 10.0.0.0/16
          authentication method: Shared Key

          Site office:

          wan address: dynamic
          lan subnet: 10.0.0.0/16
          lan gateway: 10.0.25.1

          OVPN config (client)
          protocol: udp
          server address: 102.XX.XXX.XX
          server port: 1194
          interface ip: 10.10.0.0/16
          remote network: 10.0.0.0/16
          cryptography: shared key

          or any suggestion from the expert?  ::)

          It no use crying over spilt milk.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post