OpenVPN Server/Client Setup - Clients on both sides can't reach each other.
-
Hello,
I've seen this issue before, but the fix there didn't apply to me (https://forum.netgate.com/topic/140819/aws-pfsense-openvpn-no-access-to-private-subnet)
My setup is:
AWS pfSense:
WAN =10.0.5.145
(with a public IP attached as well)
Server Configdev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.0.5.145 ifconfig 172.26.44.1 172.26.44.2 lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 20 route 10.50.2.0 255.255.255.0 secret /var/etc/openvpn/server1.secret
Netgate SG-1100:
WAN:10.50.1.101/24
(it has to be double-NAT'd due to the hardware available)
LAN:10.50.2.1/24
Client Configdev ovpnc2 verb 1 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_client2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.50.1.101 lport 0 management /var/etc/openvpn/client2.sock unix remote REDACTED 1194 ifconfig 172.26.44.2 172.26.44.1 route 10.0.4.0 255.255.252.0 secret /var/etc/openvpn/client2.secret resolv-retry infinite
I am able to establish the tunnel, and from a laptop on the client-side (
10.50.2.100
), I can ping the client LAN IP (10.50.2.1
) as well and the server's 'local' IP (10.0.5.145
). The client-side laptop has a GW of the SG-1100, and when I do aroute print
it shows0.0.0.0/0
pointing to10.50.2.1
, but nothing specific to the AWS IP ranges (10.0.4.0/22
). I can not connect to anything in the AWS ranges, even the instances that are explicitly set to 'allow all ports from all sources' in their SG.From the SG-1100 WebGUI, I can ping/trace/telnet onto any AWS instance/port, so long as I select the 'OpenVPN' interface when doing so. LAN and WAN interfaces fail.
From any instance in AWS, I am not able to connect to the LAN interface of the SG-1100 nor the client-side laptop at all, but am able to ping/trace/telnet from the WebGUI, so long as I select the 'OpenVPN' interface when doing so.
The firewall rules in both the AWS VM and the SG-1100 are 'allow all' across the board (in the 'OpenVPN' rules), and the routes in both places show the opposite network as going through the tunnel IP range (
172.26.44.0/24
).I'm somewhat at a loss here, and am hoping that someone can assist / guide me in the right direction. If I've left off any critical details needed, please let me know.
Thank you so much for any assistance!