OpenVPN bridge - can ping from pfSense, not clients



  • Howdy all, presumably this is a simple firewalling issue.

    I have an OpenVPN bridge setup between a remote server (Debian 8 in a Proxmox HV) and my home with pfSense as the firewall / VPN client.

    After some struggling, pfSense has made the connection and can ping clients on the server (Debian) side of the VPN. However clients on the pfSense side cannot. A ping responds in many packets transmitted, 0 received. No time outs or unresolved hosts.

    Since the pfSense box can ping the other clients on the server side, it must be a firewall issue, I'd guess. I've done no firewall changes thus far.

    I don't care about WAN forwarding, if I have to I have to (although its an extra hop / POF) but preferably not.

    Server (Debian) IP: 192.168.1.102
    Client (pfSense) IP: 192.168.10.1
    all Debian-side machines are 192.168.1.10x
    all pfSense-side machines are 192.168.10.x
    The pfSense box is given the IP 192.168.1.20 for OpenVPN.

    192.168.1.254 is the hypervisor NATing to the external IP using iptables.

    I used these guides to set up the Debian VPN server: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
    http://www.emaculation.com/doku.php/bridged_openvpn_server_setup



  • pfSense has made the connection and can ping clients on the server (Debian) side of the VPN. However clients on the pfSense side cannot.

    So you're saying:

    192.168.10.1 ->ping 192.168.1.102 works

    but

    192.168.10.10 (guessed at a Client IP) ->ping 192.168.1.102 doesn't ?

    What type of devices are on the Client LAN?
    Win machines are notorious for a basic Firewall issue that blocks pings from "unknown" subnets (the Server's would be)

    Do you actually need a bridged connection?
    Your Client and Server LAN's are on different subnets, which makes a TUN (vs TAP) connection much simpler.



  • Thanks for the reply.

    Yes, from the pfSense shell I can ssh into VMs on the other side of the bridge. My clients, both in Linux and Windows, cannot.

    I set up a bridge because the server side is a dedicated server running Proxmox that I want to use on my local network (also with a server running Proxmox) including as a domain controller (one local, one remote) and my reading indicated that a routed setup would not work for this use case.



  • Sorry, I don't know enough about Proxmox and your environment to say whether you going down the right path or not.

    From what you're describing, I'd normally guess a basic routing issue on the server end, but that's just a guess.

    Perhaps someone with a little more insight into your environment can jump in…..



  • The hypervisor environment shouldn't matter much, as both sides just have standard bridged ethernet adapters and port 1194 is forwarded on the server side hypervisor using iptables. As far as the software is concerned, there is a physical switch connected.

    I don't have a DHCP on the server side - could that be a problem?



  • Kindly bumping.

    Anyone with any assistance on the firewall rules to allow my OVPN bridge to speak to my LAN? Thanks!