Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    1. Home
    2. Tags
    3. site-to-site
    Log in to post
    • All categories
    • T

      Wireguard gateway no working outside dashboard

      Watching Ignoring Scheduled Pinned Locked Moved WireGuard wireguard static route vpn tunnel site-to-site site to site
      13
      0 Votes
      13 Posts
      2k Views
      T

      Finally!

      The solution was creating a firewall rule that route the traffic of my Bridge interface through the gateway i have created for the wireguard client.

    • M

      Local hostnames are not resolved for clients from a network connected via IPsec site-to-site VPN tunnel

      Watching Ignoring Scheduled Pinned Locked Moved DHCP and DNS dns ipsec vpn site-to-site ubiquiti
      2
      0 Votes
      2 Posts
      1k Views
      V

      @mebert
      Consider that you have to state the remote domain if you client uses another search domain, what I assume.

      So if you want to request the remote host name is "host" and its domain is "local" you need to type "host.local" to access it.

    • semiraueS

      Proper site to site routed openvpn setup

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions openvpn site-to-site routing icmp
      1
      0 Votes
      1 Posts
      527 Views
      No one has replied
    • R

      Wireguard Site to Site

      Watching Ignoring Scheduled Pinned Locked Moved WireGuard wireguard site-to-site
      7
      0 Votes
      7 Posts
      1k Views
      R

      @jarhead

      I am configuring this device for deployment. Sorry I was not clear on that point. That is why the WAN is connected to my LAN. This device will be going over a thousand miles away and I need to set it up before it makes that journey. All of this headache just so I can remotely help (and make my life a little easier without needing to coordinate some kind of remote desktop/access). And this scenario requires the remote device to punch the hole through because their ISP uses private IPs, so the link will rely on the remote device establishing the link.

      I have isolated it to the Firewall blocking the access. The default deny rule was stepping in to block it. The Firewall knows it is the S2S interface... and not the WAN. Private IP restrictions do not apply. The Default deny rule on both firewalls was blocking access. Oddly, the PC on the remote pfSense had no issues accessing my pfSense WebGUI but could not access my LAN devices... and I could not go the other direction to access the WebGUI of the remote device..

      I need to review the syntax/scope on the Firewall rules again. By default, pfSense uses XXX net for Source. I had copied the allow rules to the S2S interface and updated to use S2S net. As Christian's video shows in the Firewall section, source is set to * (All). I have the tunnel working now. So sorry about wasting anyone's time.

      P.S. Akismet is flagging my post as spam. Not sure why that is. Apparently it won't allow me to add images with the post.

    • J

      Site to site - firewall das filiais

      Watching Ignoring Scheduled Pinned Locked Moved OpenVPN site-to-site
      1
      0 Votes
      1 Posts
      371 Views
      No one has replied
    • S

      IKEV1 Site to Site VPN - Cannot ping Remote Lan

      Watching Ignoring Scheduled Pinned Locked Moved IPsec ipsec ikev1 site-to-site cisco asa
      2
      0 Votes
      2 Posts
      590 Views
      V

      @shahidge4
      The tcpdump from WAN is pretty useless, since the connection is established already.

      Your P2 has a single remote IP. So the VPN will only allow access to this one.
      Do a packet capture on the IPSec interface.

      Ensure that the remote host does not block access from the remote network.

    • semiraueS

      Pfsense 1:1 NAT with site-to-site ipsec

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions ipsec nat site-to-site openvpn
      4
      0 Votes
      4 Posts
      1k Views
      stephenw10S

      So the P2 will effectively end up being (in my example) 10.200.10.0/24 to 10.100.10.0/24.
      Each side 'hides' it;s local 10.10.10.0/24 subnet behind another, same sized, subnet. You could use any unused subnet for that I just chose 10.100.10.0 and 10.200.10.0.

      So on each side that would be the Binat address.

      https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html

      However if you do not need access between the two subnets dircetly but only from the pfSense_1 OpenVPN subnet this becomes easier. You only need to BiNAT on the pfSense_2 side like:

      Screenshot from 2022-05-12 14-02-05.png

      On the pfSense_1 side the P2 would be just be 172.10.10.0/24 to 10.100.10.0/24

      To access the remote side VPN clients would need to use the equivalent NAT address.

      Steve

    • S

      WireGuard site to site tutorial

      Watching Ignoring Scheduled Pinned Locked Moved WireGuard wireguard site-to-site
      1
      0 Votes
      1 Posts
      627 Views
      No one has replied
    • M

      Remote OVPN Client access devices in Remote LAN over OpenVPN Site2Site link?

      Watching Ignoring Scheduled Pinned Locked Moved OpenVPN openvpn openvpn client site-to-site routing
      4
      0 Votes
      4 Posts
      981 Views
      johnpozJ

      @mpcjames glad I could help.

    • K

      OpenVPN site to site NAT

      Watching Ignoring Scheduled Pinned Locked Moved NAT nat openvpn site-to-site
      7
      0 Votes
      7 Posts
      1k Views
      K

      @viragomann Ok i got it working.
      It took some cleaning up after previous attempts and I wouldn't make it work if it wasn't for you info.
      Thanks

    • B

      Wan Gateway + OpenVPN Failover

      Watching Ignoring Scheduled Pinned Locked Moved OpenVPN vpn site-to-site failover
      1
      0 Votes
      1 Posts
      539 Views
      No one has replied
    • J

      Communication entre OpenVPN Site/Site et clients roadwarrior

      Watching Ignoring Scheduled Pinned Locked Moved Français openvpn site-to-site roadwarrior
      4
      0 Votes
      4 Posts
      878 Views
      J

      (L'adresse 20.0.0.1 n'est pas privée : ce n'est pas recommandé !)

      Je ne comprends pas que vous ayez utilisé le MEME réseau pour le VPN site-à-site et le VPN roadwarrior ! Ce réglage ne peut que perturber le pfSense !

      Il faut

      configurer des réseaux différents pour le client OpenVPN et le serveur OpenVPN, en sus, pour les clients roadwarrior, il faudra ajouter une route (push route) pour qu'il atteigne le site Bureau.
    • S

      Add site-2-site connection but I only have a ovpn config file

      Watching Ignoring Scheduled Pinned Locked Moved OpenVPN site-to-site configuration open vpn
      1
      0 Votes
      1 Posts
      426 Views
      No one has replied
    • semiraueS

      Route openvpn client traffic through another openvpn client

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions routing nat gateway openvpn site-to-site
      14
      0 Votes
      14 Posts
      3k Views
      stephenw10S

      Do you see it being routed in packet captures or the state table when you try to reach 1.1.1.1?

      Where does it fail?

    • W

      Combining Remote Access VPN with Site-to-Site VPN

      Watching Ignoring Scheduled Pinned Locked Moved OpenVPN openvpn routing pfsense site-to-site remote-access
      4
      0 Votes
      4 Posts
      1k Views
      W

      Thank you very much! Your solution fixed my problem! I missed to add the tunnel network to the remote networks on site B.

    • W

      Configuration OpenVPN : site-to-site et roadwarrior

      Watching Ignoring Scheduled Pinned Locked Moved Français openvpn openvpn routage site-to-site roadwarrior
      11
      0 Votes
      11 Posts
      2k Views
      J

      Ce n'est pas agréable de répondre et de se voir attribuer une attitude qui n'est pas la sienne ... C'est donc mieux.

      Le VPN_ADMIN est le VPN roadwarrior (qui est très bien avec OpenVPN).
      La config que vous indiquez me semble correcte cette fois ci.
      Elle est logique puisque le Local est l'ensemble des réseaux de chaque site !
      Usuellement, et la doc pfSense l'utilise, le Tunnel est 10.0.x.0/24 (ce qui permet à 63 clients de se connecter).
      Si on a plusieurs sites, avec chacun un serveur OpenVPN, on fait varier le x : 8,9,10, ...

      Le VPN_SITES devrait passer à IPsec et idéalement en maillé.
      Donc chaque site doit avoir des définitions suivantes
      pour le site 1 :
      phase1 : vers site 2 / phase 2 : lan1 <-> lan2 / 2 rules ipsec : lan1 -> lan2 + lan2 -> lan1
      idem pour site 3
      idem pour site 4
      et on recommence site par site

    • T

      Sharing public Wan IP Subnet between 2 locations (Site to Site WAN?)

      Watching Ignoring Scheduled Pinned Locked Moved Routing and Multi WAN site-to-site public ip wan p ipsec lan to wan
      2
      0 Votes
      2 Posts
      556 Views
      DerelictD

      You could send some of that /27 across OpenVPN to the other site if the /27 is routed to you.

      If the interface is a /27 that's going to be much more difficult.

    • R

      openvpn Roadwarrior access to both lan in site to site

      Watching Ignoring Scheduled Pinned Locked Moved OpenVPN openvpn site-to-site roadwarrior
      2
      0 Votes
      2 Posts
      856 Views
      M

      In order for your roadwarrior clients to access resources @ site B, two things need to happen:

      Site A's road warrior clients need to know that site B's LAN subnet should be routed down the tunnel Site B needs to know where to send the return traffic for site A's road warrior clients

      Based on the above, the following adjustments should be made to the configs:

      Site A:

      Road Warrior config should have "192.168.20.0/24, 192.168.10.0/24" on the IPv4 Local network(s) line. (Remove 10.0.20.0/24).

      Site B:

      Re-verify the site-to-site config has "192.168.20.0/24, 10.0.20.0/24" on the IPv4 Remote network(s) line

      Once the site-to-site tunnel is re-established and the clients re-connect, you should be good to go.

    • D

      Site2Site does not work/route in both directions

      Watching Ignoring Scheduled Pinned Locked Moved OpenVPN openvpn site-to-site routing
      9
      0 Votes
      9 Posts
      1k Views
      kiokomanK

      the routing table now is the same ?
      maybe it was something else on the configuration

    • C

      OpenVPN site2site not working

      Watching Ignoring Scheduled Pinned Locked Moved OpenVPN openvpn site-to-site
      4
      0 Votes
      4 Posts
      938 Views
      V

      Why do you use a /24 net for a site-2-site. A /30 will be the better choice here.

      @Cricco95 said in OpenVPN site2site not working:

      Trying to ping VPN server interface on 10.8.0.1:

      You did the ping from WAN IP. Don't know what your WAN is, but you may miss the route.

      What it you do a ping from LAN?
      If it works, try a ping from LAN to the remote LAN IP of the server.