Can't pass traffic across OpenVPN client

lagreca

I'm sure I'm doing something incorrectly, but I can't figure out where I've gone wrong…

I setup a OpenVPN client between my pfSense and an Asus RT-87u at the remote end. The VPN appears to be up:

Here are my OpenVPN firewall rules:

If I go into the Diagnostics -> Ping, and try to ping 172.20.10.250, it is successful.

Results
PING 172.20.10.250 (172.20.10.250) from 10.8.0.6: 56 data bytes
64 bytes from 172.20.10.250: icmp_seq=0 ttl=63 time=95.583 ms
64 bytes from 172.20.10.250: icmp_seq=1 ttl=63 time=95.890 ms
64 bytes from 172.20.10.250: icmp_seq=2 ttl=63 time=96.151 ms

–- 172.20.10.250 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss

So i'm fairly certain that the VPN is running, the and pfSense can ping devices on the far end. I just cant ping devices from the LAN subnet. Which leads me to believe it might just be a rule missing to allow this. However, I have added all kinds of rules, and can't seem to figure out how to pass traffic from my LAN to the remote LAN.

viragomann

I guess the pfSense isn't the default gateway on your LAN host. If so, you need a static route for the remote LAN at your PC.

lagreca

The pfSense (10.0.1.254) IS the default gateway on my LAN.

![Screenshot 2016-04-14 13.53.25.png](/public/imported_attachments/1/Screenshot 2016-04-14 13.53.25.png)
![Screenshot 2016-04-14 13.53.25.png_thumb](/public/imported_attachments/1/Screenshot 2016-04-14 13.53.25.png_thumb)

viragomann

And at the other site? Is the route to your LAN known?
If the ASUS router is the default gateway you have add the route to it.

lagreca

I had an Asus router on this end, and the VPN was functioning. I replaced my end with a pfSense, and have been struggling to get the VPN working ever since.

When I log into the remote Asus, I can see that my OpenVPN user shows as connected. So the VPN shows that it's functioning on both ends. On this end, I can ping a remote LAN machine using the Diagnostics -> ping functionality. I just can't get any device on MY LAN to talk to the remote LAN.

I was guessing it is something as simple as a firewall rule.. But I'm just not sure…

viragomann

@lagreca:

On this end, I can ping a remote LAN machine using the Diagnostics -> ping functionality.

If you do that pfSense uses the VPN IP, which is known by the Asus router, of course.

If you cannot add a static route to the router, you can also solve this by NAT.
Go to Firewall > NAT > Outbound, if it do automatic rule generation, check hybrid or manual and hit save.
Add a new rule:
Interface: OpenVPN
Source: Network and enter your LAN network
The rest can be left at defaults, save it.

If you have more than one OpenVPN connections, you have to assign an interface to each at first and use this in the rule here.