OpenVPN Site to Site - No pings



  • Morning all. I hope everyone is taking some time to remember our fallen hero's today.

    The issue I have this morning, is the following.

    I have a client that I am trying to setup a site to site openvpn connection with. Their setup is a PFSense box, behind an existing DD-WRT router. I have forwarded port 1194 from the DDWrt router (192.168.1.1), to the PFSense box (192.168.1.254). I have setup an OpenVPN site to site PreShared key connection. The VPN from my office, shows connected, and visa versa.

    The problem I have, is that I cannot ping from my office to an endpoint within their office (from computers), however I can ping to endpoints in their office, from my PFSense box.

    Little info:

    ClientIP: 192.168.1.x/24
    MyIP: 10.0.10.x/24
    Tun; 10.0.0.x/30

    I have currently, two rules setup on each router. The WAN side, allowing OpenVPN ports from any source, to any destination, and then I have an OpenVPN rule, allowing any traffic, on any protocol, to any destination. This is duplicated on each side of the VPN.

    From everything I've seen online, this should be working. However, I cannot RDP into machines through the VPN, and I cannot ping endpoints across the Tunnel from my mac/windows machines.

    I dont have any "Push" records in the advanced tabs on either side. Not sure if thats really needed?

    Any help would be appreciated!



  • Mutual access over a site-to-site vpn connection only works without further tuning, if both sites, the server and the client, are the default gateways on the hosts you want to reach.
    If they aren't you have to add routes or do NAT to get it working.



  • Thanks, Viragomann

    SO without getting to confusing (or trying not to).

    I'd have to setup custom routes on primarily the PFSense box at the customers, that is currently behind an existing router (gateway). I've just started messing with that.

    What I've done, is changed the OpenVPN to listen on the LAN interface. Made my changes to the firewall rules allowing that traffic now through LAN instead of WAN. I've also made the appropriate IP changes in the active DD-WRT router/gateway. After having done that, I've now gone through to the "Routing", and changed the current default gateway to LAN, which points to the DD-Wrt box. Then I've gone in to "Routing-Static Routes" and entered Destination network  10.0.10.0/24 to go through the GW pointed to DD-WRT and saved that. Rebooted. Still the same thing.

    I'm assuming that the destination network needs to be the actual destination, and not the tunnel, correct?

    I've probably muddied this whole thing up. I hope what I've said makes sense.

    Thanks again for looking at this.



  • Yup, that did it.

    I went ahead and added a static route to both PFSense boxes, forcing their destination network through the appropriate GW. At least right now, My office can ping and hit endpoints on the clients side. I cannot yet ping my office from the clients side. That may be due to a pending reboot though.

    For whatever reason, that seems redundant to me. But I guess you're saying that if the PFSense box is behind another router, then that sort of thing needs to happen? Otherwise if both boxes were up against the public IP/modem, that static routing would not need to occur?

    Thanks again for a nudge in the right direction.

    Now to clean up my mess, and work on DNS passing through.

    -Chrisso