Packets don't get answered correctly via OpenVPN
-
Hey guys,
I just created a picture for you so that understanding my question is easier:
The green arrow displays how an incoming tcp packet 7777 (received at VPS pfSense) from the internet is transfered (via Open VPN tunnel).
The red arrow shows how the answer to tcp packet 7777 is transfered. It stops at local pfSense. It should be transfered to VPS pfSense. And from there it should be released to the internet.I am not sure how to solve this issue?
How can I force the answers of Windows PC 10.2.66.30 into the OpenVPN tunnel, before they are released to the internet again?
At Local pfSense I have defined "route 10.2.66.30 255.255.255.0". Shouldn't this mean that all traffic from local Windows PC 10.2.66.30 gets routed through VPN tunnel to VPS pfSense?
-
If you assign an interface to the OpenVPN instance on the Local pfSense it should work.
It's generally recommended to assign interfaces to both the OpenVPN client and server of a site-2-site VPN when you route traffic across the VPN.@Scampicfx said in Packets don't get answered correctly via OpenVPN:
At Local pfSense I have defined "route 10.2.66.30 255.255.255.0".
What? In the advanced options?
That's not a valid network address with that mask.However, that routing should be done by the "IPv4 Remote Network/s" box, but on the VPS site. So that it routes traffic to 10.2.66.30 through the VPN, but that is already working.
You cannot set a route on local side to route the responses back through the VPN without changing the default route, since the destination of these packets may be any.
The VPN interface suggested above implicates that the local pfSense tags the packets coming from the remote site with "reply-to". So the response packets have the reply-to tag as well and so pfSense knows to send them back to the remote site. -
Hey viragomann,
thanks for your answer.
I also tried "route 10.2.66.30 255.255.255.255" but when doing so, Windows PC 10.2.66.30 has no internet access anymore. Is it possible to route single IPs or is it only possible to route whole subnets?
Thank you!
EDIT: Problem solved, see: https://forum.netgate.com/topic/149934/redirect-gateway-def1-routing-traffic-from-subnet-through-openvpn