Openvpn site to site remote network not accessible

erdeidominik99

Hello! I have an openvpn site to site tunnel between a pfsense and a windows server. The pfsense is the client, with 192.168.0.0/24 LAN ip. On the other side the windows server has 192.168.15.0/24 LAN. The openvpn tunnel has 10.0.13.0/30 address range. I can ping/tracert the client side LAN from the server side, but I can't ping the server side LAN from the client side. If I ping the 10.0.13.1 which is the server ip in the tunnel it works.

JKnott

Do you have a route back to the 192.168.15.0 network?

erdeidominik99

In diagnostic/routes I have a line:
10.0.15.0/24 10.0.11.1 UGS 0 1500 ovpnc3
so yes, I have. If I tracert something in the 15.0 subnet the request goes until the local pfsense and after timeout so it can't go through the tunnel. On the windows machine whick is the server do I need any bridging or something?

JKnott

You need a route to 192.168.15.0. For example, when I show the route on my notebook computer, with OpenVPN up, I see a default route through the tunnel. Do you see that? If your default route is not through the tunnel, then you'll need a specifc route to 192.168.15.0 /24. If you don't have one of those, then you have no way for packets to get back to the Windows server.

So, what does the route show?

erdeidominik99

On the clients there is no route to that network. There is only a default route to the pfsense. But that's route not to be at the pfsense? Because for example for my ipsec tunnel there is no route on the clients.

JKnott

What does the default route show on the client? Does it show a route back through the tunnel? Or out to whatever network that computer is connected to? If you don't have a default route or specific that goes back to the same network as that Windows server, then you won't be able to access it. The default route can use just the tunnel, without specifying the address of the server network, but a specific route must specify 192.168.15.0.

What operating system is the client running? If we know that, we can tell you how to determine what route is available.

JKnott

@jknott said in Openvpn site to site remote network not accessible:

What does the default route show on the client?

Here's an example, on Linux:

ip -4 route show
default via 172.16.255.1 dev tun0 proto static metric 50
default via 192.168.43.149 dev wlan0 proto dhcp metric 600
172.16.255.0/24 dev tun0 proto kernel scope link src 172.16.255.2 metric 50
174.112.12.127 via 192.168.43.149 dev wlan0 proto static metric 600
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.244 metric 600
192.168.43.149 dev wlan0 proto static scope link metric 600

The default route shows the pfSense address at the other end of the tunnel and that it goes via tun0. If you had a specific route, it would have the network address, instead of default.

erdeidominik99

Finally it works! The problem wasn't at the pfsense's side. It was a windows routing problem!
Thanks for your help!

JKnott

@erdeidominik99 said in Openvpn site to site remote network not accessible:

It was a windows routing problem!

Perhaps a missing route back to 192.168.15.0?

erdeidominik99

@jknott Yes!