OpenVPN Server-Client access problems
- 
 I'm trying to configure OpenVPN Server-Client (PfSense to PfSense) connection, to have bidirectional access. The Client->Server traffic is working when NAT is enabled, but Server->Client is not. 
 I actually don't need NAT and could have both sides routed through, but somehow I cannot get the configuration working.What I have tried: 
 On vpn server side both configurations with server mode: peer-to-peer and remote access.
 With peer-to-peer mode I see the routing pointing to ovpns1 on both sides. The access-lists are permiting any for LAN and VPN tabs(test setup).
 I have tried setting the ACL gateway option to help with directing traffic. The end result is the same. Client-server working, Server-Client not working.Last thing I tried was setting the server mode to Remote-access, but then the routing table on server side does not have a entry for remote side. From states table I see that traffic is hitting the VPN interface, but other side is not recieving it. The reason I need OpenVPN client-server model, is that my other PFSense is behind 4G connection, that public IP address I could use to do portforwarding. So I have to call out to the server, that is reachable. What VPN server mode would allow me to have bidirectional routed traffic over VPN between both sites? 
- 
 You need to pick Peer to Peer (SSL/TLS) or Peer to Peer (Shared Key), Remote Access is the wrong mode. -Rico 
- 
 Ok. So I configured it as peer-to-peer. The tunnel is up and local/remote networks are placed in the routing table. PfSense config 
 Server
 Mode peer-to-peer)
 Device mode: tun-L3
 Tunnel network 10.10.99.0/24
 Local network 192.168.1.0/24
 Remote network 192.168.2.0/24Interface assignment 
 Ovpns1 - VPNFirewall 
 LAN - Permit IPv4 any any
 VPN - Permit IPv4 any anyClient 
 Tunnel network 10.10.99.0/24
 Remote network 192.168.1.0/24Interface assignment 
 Ovpns1 - VPNFirewall 
 LAN - Permit IPv4 any any
 VPN - Permit IPv4 any anyTunnel gets built and tunnel interface IP-s are reachable from both sides (Server 10.10.99.1 & Client 10.10.99.2) Routing table has entries 
 Server side:
 10.10.99.0/24 GW 10.10.99.2 netif ovpns1
 192.168.2.0/24 GW 10.10.99.2 netif ovpns1Client side: 
 10.10.99.0/24 GW 10.10.99.1 netif ovpns1
 192.168.1.0/24 GW 10.10.99.1 netif ovpns1Configuration1 (No Nat entries) Testing icmp 
 Server
 Ping 192.168.2.1 - no response
 State table:
 Int Proto Source(Original Source) -> Dest (original dest)
 VPN icmp 192.168.1.1:yyyy-> 192.168.2.1:zzzzTraffic is forwarded to VPN interface. 
 Client side state table is emptyClient 
 Ping 192.168.1.1 - no response
 State table:
 Int Proto Source(Original Source) -> Dest (original dest)
 VPN icmp 192.168.2.1:yyyy-> 192.168.1.1:zzzzTraffic is forwarded to VPN interface. 
 Client side state table empty.Problem: 
 Without NAT, traffic is sent to VPN tunnel but other side does not receive it.Configuration2 (with Nat entries) 
 Server NAT
 Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)Int VPN src:192.168.1.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any) Client NAT Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any) Int VPN src:192.168.2.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any) Testing icmp 
 Server
 Ping 192.168.2.1 - no response
 State table:
 Int Proto Source(Original Source) -> Dest (original dest)
 VPN icmp 10.10.99.1:xxxx(192.168.1.1:yyyy)-> 192.168.2.1:zzzzSo the Nat is working & traffic is forwarded to VPN interface. 
 Client side state table is emptyClient 
 Ping 192.168.1.1 - 3 response (working)
 State table:
 Int Proto Source(Original Source) -> Dest (original dest)
 VPN icmp 10.10.99.2:xxxx(192.168.2.1:yyyy)-> 192.168.1.1:zzzzSo the Nat is working & traffic is forwarded to VPN interface. 
 Client side state table has the correct entry as well.Problem: 
 Traffic is working only from client to server.
 Traffic is not working from server to client.
- 
 Can you share your Server and Client OpenVPN Config via screenshot? -Rico 
- 
 Topology 
  VPN Server 
  
  
 VPN Server Routes
  
 VPN Server Status
  
 VPN Server FW LAN
  
 VPN Server FW VPN
  VPN Client 
  
  
 VPN Client Routes
  
 VPN Client Status
  
 VPN Client FW LAN
  
 VPN Client FW VPN
  Testing 
 Testing ping(icmp) from Host1 to Host2 (no Nat rules, only routing)
 VPN Server States table
  VPN Client States table 
  
- 
 check the log for openvpn and see if there is any complain about "compression stub" 
 i had trouble with "Disable Compression, retain compression packet framing" instead i'm using "omit preference (Use openvpn default)"
- 
 In SSL/TLS mode you need CSO (Client Specific Overrides) for proper routing. 
 Check https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html-Rico 
- 
 @Rico Thank you so much for that detail. I did the CSO configuration and now I can reach both sites. Basically all the tutorials on OpenVPN Server-client configuration do not mention it...probably assume, that you will be using NAT. Thank you again! 
- 
 Glad you have it working now.  -Rico 

