• Hello,

    I've setup a site to site openvpn.

    PfSense 2.3.1

    Main office has a static IP
    Main office ip range
    Remote office has a static ip
    Remote office ip range

    Setup the server on the main office with the following settings
    prot: UDP
    port: 1195
    Shared key
    IPv4 tunnel Network:
    IPv4 Remote Network:

    Setup client on remote site with the following settings
    prot: UDP
    Server host : static ip from main office
    port: 1195
    Shared key
    IPv4 tunnel network:
    IPv4 Remote Network:

    Remote site can connect to ressources on Main office (ping, smb, ftp…)
    Main office cannot ping or connect to remote office's network

    Opened port 1195 in the openvpn rules on both sides

    What am i missing here?


  • A route (or lack thereof) on the remote office side? Is pfSense the default gateway for machines in the remote office? If not, does the actual default gateway have a route pointing traffic for over to your pfSense box? Make sure to check the resources in the remote office. Sometimes people get creative with "security" and don't assign a default gateway to servers/devices that shouldn't be accessing the Internet.

    I would also do a packet capture on the remote office pfSense to verify that the packets from the main office are indeed getting that far. Then a packet capture on a resource as you attempt to access it from the main office.

  • LAYER 8 Netgate

    You don't open the OpenVPN port on the OpenVPN rules. You pass the traffic you want to allow from the Remote Networks coming in through the tunnel.

    You need to pass the UDP/1195 on the Server's WAN so the client can connect to the server to establish the tunnel. This has obviously been done or the tunnel would not be coming up.

    You might want to start with rules like this on both sides.

    If you do that and still can't contact hosts on one side, it is probably the local firewall on the target host (ie Windows Firewall).

    ![Screen Shot 2016-07-15 at 12.02.23 AM.png](/public/imported_attachments/1/Screen Shot 2016-07-15 at 12.02.23 AM.png)
    ![Screen Shot 2016-07-15 at 12.02.23 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-15 at 12.02.23 AM.png_thumb)

  • Now i'm getting a bit further.

    Remote office can access head office's ressources except for the freepbx IAX2 trunk

    Head office can access some ressources. Here's what's still not working or working.

    Head office can connect to remote office's pfsense gui
    Head office can't connect to remote office's freepbx (185.8) or openMediaVault (185.49)
    Remote office can connect to head office's freepbx and pfsense gui.

    I can see in the fw logs that my pc pass Freepbx webgui


    ![Remote Lan rules.png](/public/imported_attachments/1/Remote Lan rules.png)
    ![Remote Lan rules.png_thumb](/public/imported_attachments/1/Remote Lan rules.png_thumb)
    ![Remote openvpn rules.png](/public/imported_attachments/1/Remote openvpn rules.png)
    ![Remote openvpn rules.png_thumb](/public/imported_attachments/1/Remote openvpn rules.png_thumb)

  • I've ran Wireshark on my system and the "expert" information shows reassembly error protocol tcp

    Attached some screenshots

    Also, packet capture between the two freepbx shows bad checksum only from remote site to head office. > [bad udp cksum 0xe996 -> 0xb1ab!] UDP, length 14 > [udp sum ok] UDP, length 14

    ![Wireshark capture.png](/public/imported_attachments/1/Wireshark capture.png)
    ![Wireshark capture.png_thumb](/public/imported_attachments/1/Wireshark capture.png_thumb)