OpenVPN Site to Site Setup
-
You are not understanding at all. We should not be seeing traffic with "public" IP addresses. That looks like a capture on the WAN.
We need a capture on LAN that the piings are coming into, then a capture on OpenVPN where the traffic should be routed out. Capture on the OpenVPN on the other side, then the LAN over there it should be going out of.
Nothing on WAN is interesting to us here.
Or you have to draw your network so we can see what it is we are looking at.
-
@derelict I'm very sorry for the confusion. I'm still new to Pfsense and networking in general. This is a very basic setup, so here is a map. There're two sites about 50 miles from each other. There is only a standard managed switch, but there're no VLAN configurations or anything. Basically just plugged in out of the box, with the password changed, etc.
Host Side:
DSL Modem in Bridged Mode>Host PFSense (192.168.0.1)>16 port switch (192.168.0.11) (Netgear GS116Ev2)>Physical Server (192.168.0.250)Client Side:
DSL Modem in Bridged Mode>Client PFSense (192.168.1.1)>Laptop connected to port 4 (192.168.1.104)Between every packet capture and ping, I would restart the VPN server, then the VPN client, then ping from the listed machine.
The below captures are pinging the Host PFSense (192.168.0.1) from the laptop connected directly to the Client Side PFSense
Server Side LAN Interface:
https://pastebin.com/sJkUi1djClient Side LAN Interface:
https://pastebin.com/UgVfAbuJServer Side OpenVPN Interface:
Filtered by ICMP, I get no results.Client Side OpenVPN Interface:
Filtered by ICMP, I get no results.The below captures are pinging the Client Side PFSense (192.168.1.1) from the Physical Server connected through the switch, on the Host PFSense.
Server Side LAN Interface:
https://pastebin.com/ijXcrx58Client Side LAN Interface:
Filtered by ICMP, I get no results.Server Side OpenVPN Interface:
Filtered by ICMP, I get no results.Client Side OpenVPN Interface:
Filtered by ICMP, I get no results. -
Please post the output from executing
netstat -rn4in Diagnostics > Command Prompt on both nodes.Please post screenshots directly to the forum. pastebin links are hard to follow.
-
@derelict Client Side:
Server Side:
-
Notice you do not have 192.168.0.0/24 routes into the tunnel on the 192.168.1.0/24 side and you do not have routes to 192.168.1.0/24 into the tunnel on the 192.168.0.0/24 side.
Add the CIDR/route for the other side on each side's OpenVPN Remote Networks settings.
On the server side you should end up with a route for 192.168.1.0/24 gateway 10.8.0.1 Netif ovpns2
On the client side you should end up with a route for 192.168.0.0/24 gateway 10.8.0.2 Netif ovpnc1
-
Which would have been readily apparent had the configs been posted a week ago.
-
@derelict I had those settings set exactly as you stated before. I did not have them set when I posted the initial netstat, I apologize. However, I'm still experiencing the exact same issue. Can ping the client side PF from the server, but not the other way around.
@marvosa I'm not sure how to get those config files. If you could let me know how to get those, I'd be more than happy to.
Server Side:
Client Side:
-
@sage-badolato said in OpenVPN Site to Site Setup:
Can ping the client side PF from the server, but not the other way around.
Then it is either the firewall rules on the server side's OpenVPN tab or the firewall on the device you are pinging itself.
-
@sage-badolato said in OpenVPN Site to Site Setup:
@marvosa I'm not sure how to get those config files. If you could let me know how to get those, I'd be more than happy to.
The OpenVPN config files are located here:
/var/etc/openvpnYou can view the contents via the shell or Diagnostics -> Edit File
-
Ended up finding that Client Override needed to be enabled on the Server Side PFsense. Once we enabled this, everything started working.
