Client to Client Openvpn connects but no traffic (Solved)
-
Which site is the server, which the client?
Site A is the server and site B is the clientAre both pfSense boxes the default gateways in their networks?
Yes both are the default gatewaysHave you add firewall rule to allow access?
Yes, I had even changed them to any any any to verify if the firewall was causing it.What are your local networks?
Site A internal is 192.168.3.1/24 this is the pfsense IP and then uses one port connected to the lan network on dhcp, and a separate port connected to a wifi device that acts as a public wifi, I have firewall rule to not allow any thing on the wifi subnet to take to the lan . The wifi network is 192.168.4.1/24Site B is 192.168.10.1/24 on pfsense, then it has a lan on the .10 network on dhcp, It has another port that is 192.168.11.1/24 for private wifi, another port for 192.168.12.1/24 for public wifi
Post the routes of both sites.
-
Network map made in paint :)
-
Okay, and you only want to access the server in site A LAN 192.168.3.1/24 from site B LAN 192.168.10.1/24?
Pleas post the IPv4 routing tables of both pfSense. Diagnostic > Routes -
This is site A. The public address has been blacked out
 -
This is site B. The public IP has been blocked out
 -
And yes, the objective is to view the file server at site A from site B
-
It seems, the sreenshots are not taken from the same connection. The firest shows the vpn server with 192.168.100.1 and the client with 192.168.100.2, the second shows the server has 192.168.100.5 and the client 192.168.100.6.
However, it looks like there is something miss-configured at the client.
Have you deleted any client specific override on server?
Post the client settings, please. -
Client side config file
-
Client side config page 2
-
Client over ride on the server side
-
If you only have one vpn client you don't need client specific overrides, as i've already mentioned. So you should delete it and enter the clients LAN subnet 192.168.10.0/24 into the "IPv4 Remote network(s)" box in the server config and the server sides LAN 192.168.3.0/24 into the "IPv4 Remote network(s)" box in the client settings.
If you have multiple clients you have to use client specific overrides, but you've it set wrong. At "IPv4 Remote network/s" you've to enter the client sides LAN 192.168.10.0/24 and at "IPv4 Local Network/s" the server sides LAN.
-
New client side config
 -
New Server side config. NOTE the client specific override has been deleted
 -
We are at the same state. I restarted the openvpn service on both ends after the change. The status shows as up, but data not passing through. Please let me know what further info I can post to help resolve this.
-
As you wrote in your first post:
@Shaddoh:From the router at site B I can ping Computers at site A.
From any computer on site B I can not ping anything at Site A.There are only two possible reasons for this behavior:
-
The pfSense at site B isn't the default gateway.
-
The firewall rules doesn't allow access. Check LAN rules at site B and OpenVPN rules at A.
-
The server at site A itself blocks the access from the other subnet. Try to shut down the servers firewall.
If you have no luck use packet capture from pfSense Diagnostic menu to check where the packets are dropped while you're pinging the server from a host at A.
-
-
The pfSense at site B isn't the default gateway.
The firewall rules doesn't allow access. Check LAN rules at site B and OpenVPN rules at A.
The server at site A itself blocks the access from the other subnet. Try to shut down the servers firewall.Sire B pfsense is the default gateway. It is the router being used for DHCP there. There is a modem in front of it but that is it.
I have checked the rules several times and unless I am skipping over something they are what appear to be correct. I can post pictures of the rules I have
Firewall is turned offNotes:
I read some other forum, where someone was asked to create an interface named openvpn and then create rules in there. What i did was use the wizard and it created rules under firewall>rules> openvpnUpgraded the site A pfsense to latest version. thought it may have been a bug or something. But did not help
-
These are firewalls on Site A the server side. Hosting openVPN
-
Hi, I'm working on the same VPN setup as Shaddoh. We went ahead and upgraded both pfSense routers to 2.3.2_1, deleted all the openvpn configurated and started over again, creating the openvpn setup with the wizard. Firewall rules look ok. Both client and server now see each others' tunnel IPs as the same (server is 10.0.8.1, client is 10.0.8.2) as opposed to the .1 .2 / .5 .6 mismatch we were seeing before.
Computer on Server's LAN network 192.168.3.50
Server LAN IP 192.168.3.1
Server tunnel IP 10.0.8.1
Client tunnel IP 10.0.8.2
Client LAN IP 192.168.10.1
Computer on Client's LAN network 192.168.10.13192.168.3.50 can ping all IPs through and including 10.0.8.2, but no further.
192.168.3.1 (i.e. pinging from pfSense server, specifing LAN interface) can ping through to 10.0.8.2, but no further.
10.0.8.1 (i.e. pinging from pfSense server, specifying OpenVPN Server) can ping through to 10.0.8.2, but no further.Obviously, traffic is flowing over the VPN, but from the server side, it can get to 10.0.8.2 but not from there to 192.168.10.x.
192.168.10.1 (pfSense client, specifying LAN interface) can ping through to 10.0.8.2, but no further. Unlike server -> client, in this direction the client pfsense LAN interface cannot see the tunnel IP on the server end.
10.0.8.2 (i.e. pinging from pfSense client, specifying OpenVPN client) can ping all the way through to 192.168.3.50. BUT! It can't ping 192.168.10.13, which is on the same physical network!I must have some routing issue, but I can't quite understand what it could be. 192.168.3.50 can get through to 10.0.8.2, but NOT to 192.168.10.1. Then 10.0.8.2 can get to 192.168.10.1, though it can't see 192.168.10.13, and obviously 192.168.10.1 can ping 192.168.10.13.
The problem seems to be getting from 10.0.8.2 to IPs that are physically on the same pfSense router, though it can connect to the LAN IP of that router.
-
Why don't you start a new thread. Probably you'll have another issue than Shaddoh.
10.0.8.2 (i.e. pinging from pfSense client, specifying OpenVPN client) can ping all the way through to 192.168.3.50. BUT! It can't ping 192.168.10.13, which is on the same physical network!
So I guess your client sites pfSense is not the default gateway in its LAN.
A site to site VPN should be established between two default gateways. If one site is not the default gateway in its LAN you have to add special static routes for the other sites LAN or do NAT. -
Sorry, what I meant is that I'm literally working on the same equipment as Shaddoh. We're working on the same project. :)
And yeah, it sure seems like the problem is the default gateway of the client computers, but it's not, I've checked that a dozen times.
In fact, what I'm experiencing now is that if I try to ping 192.168.10.13 (a computer on the client side's network) from the client pfsense itself as the tunnel IP, it doesn't work – unless the VPN is down! Then it works!
I did some packet capturing, and if the VPN is up, then a ping from 10.0.8.2 appears to come directly from 10.0.8.2 to 192.168.10.13, but of course 10.13 is a computer, not the pfsense router, so it doesn't know where 10.0.8.2 is. If I do that while the VPN is down, the traffic goes from 10.0.8.2 -> 192.168.10.1 -> 192.168.10.13 and back, so the ping goes through.
I've got something desperately wrong in the routing table on the client side, it appears, but I can't for the life of me figure out what it is. Why won't traffic to/from 10.0.8.x route through 192.168.10.1 first? The actual computers on 192.168.10.x network know nothing about 10.0.8.x.
This is the routing table of the client side while the vpn is up --
default [wan gw] UGS igb0
10.0.8.0/24 10.0.8.2 UGS ovpnc1
10.0.8.1 link#9 UH ovpnc1
10.0.8.2 link#9 UHS lo0
[wan network]/19 link#1 U igb0
[wan ip] link#1 UHS lo0
127.0.0.1 link#8 UH lo0
192.168.3.0/24 10.0.8.1 UGS ovpnc1
192.168.10.0/24 link#2 U igb1
192.168.10.1 link#2 UHS lo0
192.168.11.0/24 link#3 U igb2
192.168.11.1 link#3 UHS lo0
192.168.12.0/24 link#4 U igb3
192.168.12.1 link#4 UHS lo0
[dns 1] [mac of igb0] UHS igb0
[dns 1] [mac of igb0] UHS igb0