Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Clients cannot talk to each other

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      highc
      last edited by

      Hi - I setup an OpenVPN server for 2 clients to be able to talk to each other (and, ideally, get the same broadcasts so that they can play together for gaming etc.).

      When the clients connect, both can ping their own machine and the server. But they cannot ping each other.

      I have attached screen shots from the server configuration.

      client configurations were created with the export package and look like this:

      dev tap
      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote <ip>31195 udp
      verify-x509-name "pfSenseOpenVPNGamingServer" name
      auth-user-pass
      pkcs12 router-udp-31195-name.p12
      tls-auth router-udp-31195-name-tls.key 1
      remote-cert-tls server</ip> 
      

      Routing on the clients looks ok as well… from "route print":

      
                0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     15
              10.0.11.0    255.255.255.0   Auf Verbindung         10.0.11.2    291
              10.0.11.2  255.255.255.255   Auf Verbindung         10.0.11.2    291
            10.0.11.255  255.255.255.255   Auf Verbindung         10.0.11.2    291
              127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
              127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    331
        127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
            192.168.1.0    255.255.255.0   Auf Verbindung       192.168.1.2    271
            192.168.1.2  255.255.255.255   Auf Verbindung       192.168.1.2    271
          192.168.1.255  255.255.255.255   Auf Verbindung       192.168.1.2    271
           192.168.56.0    255.255.255.0   Auf Verbindung      192.168.56.1    281
           192.168.56.1  255.255.255.255   Auf Verbindung      192.168.56.1    281
         192.168.56.255  255.255.255.255   Auf Verbindung      192.168.56.1    281
              224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    331
              224.0.0.0        240.0.0.0   Auf Verbindung      192.168.56.1    281
              224.0.0.0        240.0.0.0   Auf Verbindung       192.168.1.2    271
              224.0.0.0        240.0.0.0   Auf Verbindung         10.0.11.2    291
        255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
        255.255.255.255  255.255.255.255   Auf Verbindung      192.168.56.1    281
        255.255.255.255  255.255.255.255   Auf Verbindung       192.168.1.2    271
        255.255.255.255  255.255.255.255   Auf Verbindung         10.0.11.2    291
      

      Any hint what might be wrong?

      Thanks!
      OVPN_Config_1.png
      OVPN_Config_1.png_thumb
      OVPN_Config_2.png
      OVPN_Config_2.png_thumb
      OVPN_Config_3.png
      OVPN_Config_3.png_thumb

      pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
      pfSense 2.6 on Super Micro 5018D-FN4T (retired)

      1 Reply Last reply Reply Quote 0
      • T Offline
        tempes2k
        last edited by

        hi, what about your firewall rules?
        let us know which rules you have.

        1 Reply Last reply Reply Quote 0
        • H Offline
          highc
          last edited by

          The interfaces WAN and OpenVPN both have the rules created by the OpenVPN wizard right at the top.

          WAN then has a number of port forwards (not 31195), but only after that OpenVPN rule.

          ![Firewall WAN.png](/public/imported_attachments/1/Firewall WAN.png)
          ![Firewall WAN.png_thumb](/public/imported_attachments/1/Firewall WAN.png_thumb)
          ![Firewall OpenVPN.png](/public/imported_attachments/1/Firewall OpenVPN.png)
          ![Firewall OpenVPN.png_thumb](/public/imported_attachments/1/Firewall OpenVPN.png_thumb)

          pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
          pfSense 2.6 on Super Micro 5018D-FN4T (retired)

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            And the OpenVPN Clients just need to talk to each other? Not a bridged interface on the server?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • H Offline
              highc
              last edited by

              I just want the clients to be able to talk to each other, yes - so that they are in the same subnet with broadcasts etc. working. To enable "LAN gaming" mode as offered by some games.

              pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
              pfSense 2.6 on Super Micro 5018D-FN4T (retired)

              1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann
                last edited by

                Maybe a stupid question, but I'm not sure of this: Have you considered to access the other client by his VPN IP?

                1 Reply Last reply Reply Quote 0
                • H Offline
                  highc
                  last edited by

                  10.0.11.2 (first VPN client) can ping 10.0.11.1 (pfSense). 10.0.11.3 (2nd VPN client) can ping 10.0.11.3. 10.0.11.2 cannot ping 10.0.11.3 (or vice versa).

                  pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
                  pfSense 2.6 on Super Micro 5018D-FN4T (retired)

                  1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann
                    last edited by

                    Ensure that the clients system firewall doesn't block the access.
                    Windows firewalls classifies such VPNs as untrusted as there is no gateway set and blocks access from it.

                    To outfox this behavior, I push the default route to the client with a high metric, so the origin default route is still preferred. However the metric is applied to all routes pushed by the OpenVPN server, but that doesn't matter usually.

                    In your case, since that only pertains two clients, it would be better to try to set the VPN as trusted network in Windows or open up the firewall to allow that access.

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      highc
                      last edited by

                      Windows Firewalls are diabled on both machines…

                      With pushing a route, do you mean adding

                      push "route 10.0.11.0 255.255.255.0"
                      

                      to "Custom options" in the "Advanced Configuration" part of the OpenVPN server configuration?

                      pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
                      pfSense 2.6 on Super Micro 5018D-FN4T (retired)

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann
                        last edited by

                        push "route-metric 512";push "route 0.0.0.0 0.0.0.0"
                        
                        1 Reply Last reply Reply Quote 0
                        • H Offline
                          highc
                          last edited by

                          Thanks, works!

                          pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
                          pfSense 2.6 on Super Micro 5018D-FN4T (retired)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.