OpenVPN Site-to-Site connects - but unable to access clients on the other side?
-
Hi,
I have two pfSense routers - "office" and "warehouse". The OpenVPN tunnel seems to connect - but I can't access hosts on the other side?
I'm attempting to setup a OpenVPN Site-to-Site (Shared Key) VPN as per the pfSense Book at:
https://portal.pfsense.org/docs/book/openvpn/site-to-site-example-configuration-shared-key.html
The "office" one has a few interfaces, but the one I care about has the subnet 10.0.30.0/24. This has things like a printer and server, that we want to access from "warehouse".
The "warehouse" router has the subnet 10.0.48.0/24.
On "office", I've created a OpenVPN server with:
-
Server mode: Peer to Peer (Shared Key)
-
Protocol: UDP on IPv4 only
-
Device mode: tun - Layer 3 Tunnel Mode
-
Interface: WAN
-
Local port: 1194
-
…
-
IPv4 Tunnel Network: 10.0.38.0/24
-
IPv4 Remote Network: 10.0.48.0/24
I've also added a WAN Firewall rule to allow UDP 1194 on the WAN, and also added a OpenVPN Firewall rule to allow all.
On the "warehouse" router, I've created an OpenVPN client with:
-
Server mode: Peer to Peer (Shared Key)
-
Protocol: UDP on IPv4 only
-
Device mode: tun - Layer 3 Tunnel Mode
-
Interface: WAN
-
Local port: Empty
-
…
-
IPv4 Tunnel Network: 10.0.38.0/24
-
IPv4 Remote Network: 10.0.30.0/24
The OpenVPN tunnel appears to connect successfully.
However, from a machine connected to the LAN on "warehouse" - I can't seem to access hosts in the 10.0.30.0 address range (i.e. hosts connected to "office"). Should this be working?
Also - second question - I have a second interface (for wireless) on "warehouse". How do I add this to the VPN tunnel as well?
This is my routing table on "warehouse":
This is my routing table on "office":
Thanks,
Victor -
-
you said
if@victorhooi:
The OpenVPN tunnel appears to connect successfully.
so you can see und "Status / Openvpn" that the tunnel is established?
If yes. From my understanding you do not need to create a route for this simple setup. can you try what happens if you temporalily disable them?
-
Hi,
Yup - should be connected:
I haven't created any routes actually - anything that's there was auto-populated by pfSense.
The only thing I did (per the pfSense book) was:
-
Create OpenVPN server
-
Create firewall rules
Just to confirm - if I'm connected to the LAN on either router - I should be able to access hosts on the other router, as per their normal IP address, right?
Thanks,
Victor -
-
The warehouse client does not have the 10.0.30.0/24 route in the routing table toward the ovpnc1 client process.
Edit / Save the OpenVPN Client configuration there.
If it still does not appear in the routing table, check the OpenVPN logs for errors.
-
Hi,
I logged in to the Warehouse pfSense Router - went to VPN, OpenVPN, Clients. Opened up the existing client, didn't change anything, and hit save.
And now VPN works!
To be honest, I don't know if simply waiting a few days to try again helped, or if it was the editing/saving that did it - I should have checked beforehand. Anyhow - out of curiosity - why would editing/saving do anything?
I also want to know - in case I need to troublehsoot this again, or it stops working? touch wood
OpenVPN logs:
Routes:
Cheers,
Victor -
It restarts the openvpn daemon and adds all the routes again. It is possible that route existed due to something else adding it and when you started the client with that route there it could not add it for itself. Then it was subsequently removed. Or something. Impossible to know without seeing that event actually occur.