Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Site-to-Site connects - but unable to access clients on the other side?

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 764 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      victorhooi
      last edited by

      Hi,

      I have two pfSense routers - "office" and "warehouse". The OpenVPN tunnel seems to connect - but I can't access hosts on the other side?

      I'm attempting to setup a OpenVPN Site-to-Site (Shared Key) VPN as per the pfSense Book at:

      https://portal.pfsense.org/docs/book/openvpn/site-to-site-example-configuration-shared-key.html

      The "office" one has a few interfaces, but the one I care about has the subnet 10.0.30.0/24. This has things like a printer and server, that we want to access from "warehouse".

      The "warehouse" router has the subnet 10.0.48.0/24.

      On "office", I've created a OpenVPN server with:

      • Server mode: Peer to Peer (Shared Key)

      • Protocol: UDP on IPv4 only

      • Device mode: tun - Layer 3 Tunnel Mode

      • Interface: WAN

      • Local port: 1194

      • …

      • IPv4 Tunnel Network: 10.0.38.0/24

      • IPv4 Remote Network: 10.0.48.0/24

      I've also added a WAN Firewall rule to allow UDP 1194 on the WAN, and also added a OpenVPN Firewall rule to allow all.

      On the "warehouse" router, I've created an OpenVPN client with:

      • Server mode: Peer to Peer (Shared Key)

      • Protocol: UDP on IPv4 only

      • Device mode: tun - Layer 3 Tunnel Mode

      • Interface: WAN

      • Local port: Empty

      • …

      • IPv4 Tunnel Network: 10.0.38.0/24

      • IPv4 Remote Network: 10.0.30.0/24

      The OpenVPN tunnel appears to connect successfully.

      However, from a machine connected to the LAN on "warehouse" - I can't seem to access hosts in the 10.0.30.0 address range (i.e. hosts connected to "office"). Should this be working?

      Also - second question - I have a second interface (for wireless) on "warehouse". How do I add this to the VPN tunnel as well?

      This is my routing table on "warehouse":

      This is my routing table on "office":

      Thanks,
      Victor

      1 Reply Last reply Reply Quote 0
      • H Offline
        hbauer
        last edited by

        you said

        if@victorhooi:

        The OpenVPN tunnel appears to connect successfully.

        so you can see und "Status / Openvpn" that the tunnel is established?

        If yes. From my understanding you do not need to create a route for this simple setup. can you try what happens if you temporalily disable them?

        1 Reply Last reply Reply Quote 0
        • V Offline
          victorhooi
          last edited by

          Hi,

          Yup - should be connected:

          I haven't created any routes actually - anything that's there was auto-populated by pfSense.

          The only thing I did (per the pfSense book) was:

          • Create OpenVPN server

          • Create firewall rules

          Just to confirm - if I'm connected to the LAN on either router - I should be able to access hosts on the other router, as per their normal IP address, right?

          Thanks,
          Victor

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            The warehouse client does not have the 10.0.30.0/24 route in the routing table toward the ovpnc1 client process.

            Edit / Save the OpenVPN Client configuration there.

            If it still does not appear in the routing table, check the OpenVPN logs for errors.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • V Offline
              victorhooi
              last edited by

              Hi,

              I logged in to the Warehouse pfSense Router - went to VPN, OpenVPN, Clients. Opened up the existing client, didn't change anything, and hit save.

              And now VPN works!

              To be honest, I don't know if simply waiting a few days to try again helped, or if it was the editing/saving that did it - I should have checked beforehand. Anyhow - out of curiosity - why would editing/saving do anything?

              I also want to know - in case I need to troublehsoot this again, or it stops working? touch wood

              OpenVPN logs:


              Routes:

              Cheers,
              Victor

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                It restarts the openvpn daemon and adds all the routes again. It is possible that route existed due to something else adding it and when you started the client with that route there it could not add it for itself. Then it was subsequently removed. Or something. Impossible to know without seeing that event actually occur.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.