Open VPN Only Working One Way

WJWB

Used the guide specified here:

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configuring-a-site-to-site-static-key-openvpn-instance.html

Tunnel is up and working, pinging from the client pfsense to the lan on the side of the pfsense openvpn server but not vise versa and not from the client side lan :(

chpalmer

Either your "remote network" on site one is wrong or your "OpenVPN" firewall rule on site two is wrong.

Show screenshots of each of those.

I've tried adding a gateway on the tunnel network, and adding static route to site 2 but this hasn't made a difference.

You should not have to do either of those. In fact Id delete them before you troubleshoot further.

I can't ping from another machine on site 2 to an address on site1
Can you ping from that same machine to the site 1 pfsense LAN interface?

Also remember- Windows machines will treat any "out of subnet" address as pubic and block with its own firewall.

WJWB

@chpalmer

I removed the gateway and static route after they didn't work

Below Site 1 Open VPN Settings

Below is Site 2 Firewall Rules

Windows firewall is disabled on the PC I'm using to test.

chpalmer

Look at /Diagnostics /Routes and see if the opposite LAN is there..

/diag_routes.php

Next Id pull up the configs and compare them side by side.. Im trying to remember which settings could be a little different and cause such an issue. Seems to me anything I ever had issues with blocked my efforts both directions.

I assume your LAN rules are all default? There is no traffic that has hit that rule you have the screenshot of above.. Look at your firewall logs. Do you see any blocked traffic when you try to ping or otherwise?

Are you behind a dsl modem on either side of this connection??

KOM

You also have all your local networks defined on each end?

WJWB

@chpalmer

Look at /Diagnostics /Routes and see if the opposite LAN is there..

Yes It's there:

Next Id pull up the configs and compare them side by side.. Im trying to remember which settings could be a little different and cause such an issue. Seems to me anything I ever had issues with blocked my efforts both directions.

I agree, I can't understand why it works one way but not the other =(

I assume your LAN rules are all default? There is no traffic that has hit that rule you have the screenshot of above.. Look at your firewall logs. Do you see any blocked traffic when you try to ping or otherwise?

Your assumption is correct

Are you behind a dsl modem on either side of this connection??

Yes Site 2 is behind a DSL Modem and pfsense is another device on the network there is a static route on the DSL modem to route 172.16.28.0/24 to the pfsense ip. I've also tried using the pfsense box as the default gateway on devices on the Site 1 Network

@KOM

The Interface is configured, I would assume the network is also as it appears in the above route table.

chpalmer

I ask about the DSL modem because I did have one "gateway" model that was somehow screwing with traffic in a similar fashion. Once I rebooted that device the issues stopped. It was Centurylink and was not a Technicolor model. I do not remember the exact model though.

Could you possibly put yours in bridge mode and let your pfsense WAN do the pppoe?

WJWB

@chpalmer It's an option at the moment the device runing pfsense only has one NIC. I've tried with a VM with 2 Nics but getting the same. Frustrating

chpalmer

I would try that box on a different internet connection to rule that out.

WJWB

It appears that was the issue having only one NIC, a box with 2 NICs on different submets connects and pings fine but now I've ran into the problem that it doesn't have a great throughput tried both OpenVPN and IPSec but packets over 50kb fail on pings.