client ping does not work to clients in other network

hannes.hutmacher

Hello!

Today I set up my openvpn site to site connection. To connect both sides I decided to use certificates. The connection works. A tunnel is available and everything seems fine.

But when I try to ping from one client in network A to an other client in network B it does not work. It seems that icmp packages are routet to the internet and not into the tunnel.

But "netstat -r" shows the right routes as far I understand.

Network A: 192.168.30.0/24
Network B: 192.168.2.0/24
Tunnelnet: 172.16.0.0/24

# Side A (192.168.30.0/24)
172.16.0.0/24      172.16.0.1         UGS      ovpnc1
172.16.0.1         link#9             UH       ovpnc1
172.16.0.2         link#9             UHS         lo0
192.168.2.0/24     172.16.0.1         UGS      ovpnc1

# Side B (192.168.2.0/24)
172.16.0.0/24      172.16.0.2         UGS      ovpns2
172.16.0.1         link#9             UHS         lo0
172.16.0.2         link#9             UH       ovpns2
192.168.30.0/24    172.16.0.2         UGS      ovpns2

The funny thing is: When I use pre-shared key authentication everything works fine. Pings from client to client through the tunnel works.

I have no idea to find out the problem so I hope you can help me to solve this.

viragomann

Use a /30 tunnel for a site to site VPN.
If you are running multiple VPN instances on one side also assign interfaces to them.

Rico

/24 subnet is totally okay to run as tunnel network in PKI.
Do you have set your iroutes?
Check the iroutes section in https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-pki-ssl-openvpn-instance.html if not.
Firewall Rules in place?

-Rico

hannes.hutmacher

thank you for your reply. I will try it out today.

I am wondering why it works with pre-shared key but not with certificates. What is the reason?

Rico

In a Site to Site Shared Key you always can only have two sites per Instance, your Server is .1 and Client is .2
Even if you specify a /24 tunnel network only /30 is used. So for OpenVPN it is no problem to know how the traffic flows.

In Site to Site PKI you can have many sites per Instance, so even if you have only two sites OpenVPN need to know how to route traffic internally. This is done by iroutes, even if you only have two sites and use a /30 tunnel you always need to set iroutes in a PKI Instance.

-Rico

hannes.hutmacher

Thank you for this explaination. Now my vpn works fine.

Rico

Glad you have it working now.

-Rico