Routing Setup
-
if you can't ping the tunnel-endpoint and the tunnelnetwork is the same on both ends …. then the tunnel is probably not UP
check openvpn logs to find out what goes wrong
-
Jul 27 03:14:03 openvpn[10240]: Re-using pre-shared static key
Jul 27 03:14:03 openvpn[10240]: Preserving previous TUN/TAP instance: ovpns1
Jul 27 03:14:03 openvpn[10240]: Listening for incoming TCP connection on [AF_INET]10.3.1.145:443
Jul 27 03:14:25 openvpn[10240]: TCP connection established with [AF_INET]10.4.1.125:22000
Jul 27 03:14:25 openvpn[10240]: TCPv4_SERVER link local (bound): [AF_INET]10.3.1.145:443
Jul 27 03:14:25 openvpn[10240]: TCPv4_SERVER link remote: [AF_INET]10.4.1.125:22000
Jul 27 03:14:25 openvpn[10240]: Peer Connection Initiated with [AF_INET]10.4.1.125:22000
Jul 27 03:14:27 openvpn[10240]: Initialization Sequence CompletedLooks like its up.
-
Can you post what rules you put in the openVPN tab in the firewall?
-
Here is how I have things setup currently I've been playing around with different settings so I'm sure things are fudged.
Server
Mode Shared Key
Protocol TCP
device mode tun
interface wan
port 443
tunnel 10.87.2.0/24
local network 10.87.3.0/24
remote network 10.87.100.0/24Client
Mode Shared Key
Protocol TCP
device mode tun
interface wan
Server address 10.3.1.145
port 443
Tunnel 10.87.2.0/24
Remote Network 10.87.3.0/24
-
My default router is not the pfsense box Im guessing this might be part of the issue as well
-
In the VPN rule in firewalling, it will not be the WAN net. It is going to be the remote private subnet. I would do a source any until you know the vpn config is sound.
-
My default router is not the pfsense box Im guessing this might be part of the issue as well
It could be, so you would need to add the route to the remote subnet in your default router to the pfsense box.
-
Could I make the default router the pfsense box for those 10.87.3/100 lans?
-
If the traffic doesn't have to go in another direction, yes.
-
I was just playing around and turned off the firewall completely once I did that I was able to ping the opposite ends of the tunnel from both sides from the webgui. I wasn't able to reach the local subs on either end. So this just has to be a routing/rules issue
-
So far that is what it sounds like … but the rule you have is not correct either .. WAN net is only the subnet that you WAN is on and not the internet.
-
also … maybe ... perhaps ... do not use port 443, possibly the pfsense webgui httpd is allready bound to it.
-
I restarted and am now able to ping across to the other sides vpn tunnel and front end of the other lan from the webgui but am unable to ping from a station on those lan's.
-
Did you change the OpenVPN firewall allow rule on both sides? Try a reboot on both sides after that. Also check your routing on the remote site to make sure that is not an issue.
-
I'm rebooting on both ends now here are my current rules on both the server and client
-
Your LAN rule is incorrect. Again WAN address or WAN subnet is not the internet nor either side of the tunnel. Change the source to be any to any on any port to start with. After you have made sure that the connection is working and the routing is correct, then you can limit your rules if you like. Just make sure that you are wary of what you are blocking and please make use of aliases to help you create rules.
-
Thanks by altering that rule I am now able to ping everything and anything on the lan side.