Open VPN Only Working One Way

WJWB

Hi There,

Having a huge issue with Open VPN Site to site setup here's an overview

Site 1 - pfsense is the main router has a wan interface and 2 lan interfaces on different subnets (172.16.28.0/24 10.28.10.0/24)

Site 2 - Has a pfsense is running behind another NAT firewall, pfsense has one local IP address.

I can ping from pfsense site2 to pfsense site1 as well as other IP addresses in site 1.
I can't ping from another machine on site 2 to an address on site1
I can't ping from site2 to site 1 either from pfsense or from another machine.

tracert from site1 to site2 returns nothing but timeouts

Can't see anything wrong with config remote network(s) on OpenVPN settings are correct.
Firewall rules to allow any protocal, from any source to any source on site2 is in place
OpenVPN firewall rule for Site1 is in place.

I've tried adding a gateway on the tunnel network, and adding static route to site 2 but this hasn't made a difference.

The bit that I really can't get my head around is I can ping machines at site1 from the pfsense interface at site1 but when I try and ping the pfsense site2 box from anything at site1 it fails, even when i attempt to ping site2's pfsense using the openvpn server as the source address. How can traffic be ok going one way but not the other?

Any pointers would be appreciated.

KOM

How did you set it up? DId you use the Netgate guide or just work through it yourself? I configured this in my lab in the past week and got it working after a few tries.

Configuring a Site-to-Site Static Key OpenVPN Instance

WJWB

Used the guide specified here:

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configuring-a-site-to-site-static-key-openvpn-instance.html

Tunnel is up and working, pinging from the client pfsense to the lan on the side of the pfsense openvpn server but not vise versa and not from the client side lan :(

chpalmer

Either your "remote network" on site one is wrong or your "OpenVPN" firewall rule on site two is wrong.

Show screenshots of each of those.

I've tried adding a gateway on the tunnel network, and adding static route to site 2 but this hasn't made a difference.

You should not have to do either of those. In fact Id delete them before you troubleshoot further.

I can't ping from another machine on site 2 to an address on site1
Can you ping from that same machine to the site 1 pfsense LAN interface?

Also remember- Windows machines will treat any "out of subnet" address as pubic and block with its own firewall.

WJWB

@chpalmer

I removed the gateway and static route after they didn't work

Below Site 1 Open VPN Settings

Below is Site 2 Firewall Rules

Windows firewall is disabled on the PC I'm using to test.

chpalmer

Look at /Diagnostics /Routes and see if the opposite LAN is there..

/diag_routes.php

Next Id pull up the configs and compare them side by side.. Im trying to remember which settings could be a little different and cause such an issue. Seems to me anything I ever had issues with blocked my efforts both directions.

I assume your LAN rules are all default? There is no traffic that has hit that rule you have the screenshot of above.. Look at your firewall logs. Do you see any blocked traffic when you try to ping or otherwise?

Are you behind a dsl modem on either side of this connection??

KOM

You also have all your local networks defined on each end?

WJWB

@chpalmer

Look at /Diagnostics /Routes and see if the opposite LAN is there..

Yes It's there:

Next Id pull up the configs and compare them side by side.. Im trying to remember which settings could be a little different and cause such an issue. Seems to me anything I ever had issues with blocked my efforts both directions.

I agree, I can't understand why it works one way but not the other =(

I assume your LAN rules are all default? There is no traffic that has hit that rule you have the screenshot of above.. Look at your firewall logs. Do you see any blocked traffic when you try to ping or otherwise?

Your assumption is correct

Are you behind a dsl modem on either side of this connection??

Yes Site 2 is behind a DSL Modem and pfsense is another device on the network there is a static route on the DSL modem to route 172.16.28.0/24 to the pfsense ip. I've also tried using the pfsense box as the default gateway on devices on the Site 1 Network

@KOM

The Interface is configured, I would assume the network is also as it appears in the above route table.

chpalmer

I ask about the DSL modem because I did have one "gateway" model that was somehow screwing with traffic in a similar fashion. Once I rebooted that device the issues stopped. It was Centurylink and was not a Technicolor model. I do not remember the exact model though.

Could you possibly put yours in bridge mode and let your pfsense WAN do the pppoe?

WJWB

@chpalmer It's an option at the moment the device runing pfsense only has one NIC. I've tried with a VM with 2 Nics but getting the same. Frustrating

chpalmer

I would try that box on a different internet connection to rule that out.

WJWB

It appears that was the issue having only one NIC, a box with 2 NICs on different submets connects and pings fine but now I've ran into the problem that it doesn't have a great throughput tried both OpenVPN and IPSec but packets over 50kb fail on pings.