OpenVPN Site-to-Site Server Replies not reaching Client



  • I've setup an OpenVPN Site-to-Site and the client side packet captures are not showing the Server replies.  Now, I know that the Server is Receiving/Sending based on the packet captures I'm seeing AND based on the FW MATCH rule logs on my Edge/Gateway.  I doubt that they are getting lost in transit.

    The 'client' is also a Server but on a different port (1194) for mobile client Admin access.  That works great!!

    I assumed since the traffic is originating from the client that a WAN rule to allow reply traffic wouldn't be needed.

    The Gateway monitoring status for both the client and the server are showing offline and I've restarted both services with no change.

    My thought was that it's a routing issue.

    Thanks in advance for your assistance.  Willing to post settings if that would help.



  • @dbennett:

    I've setup an OpenVPN Site-to-Site and the client side packet captures are not showing the Server replies.  Now, I know that the Server is Receiving/Sending based on the packet captures I'm seeing AND based on the FW MATCH rule logs on my Edge/Gateway.

    This can happen if the server has no route to the clients side network. So the packets would be sent to the default gateway.
    Have the entered the clients subnet in the "Remote networks" box in the server settings?

    @dbennett:

    The 'client' is also a Server but on a different port (1194) for mobile client Admin access.

    So you will have to assign a separate interface to each OpenVPN instance to get a separate gateway for each. Otherwise pfSense handles the OVPN interfaces as interface-group and traffic will be partially miss-routed.



  • Thank you very much for the quick reply!

    @viragomann:

    @dbennett:

    I've setup an OpenVPN Site-to-Site and the client side packet captures are not showing the Server replies.  Now, I know that the Server is Receiving/Sending based on the packet captures I'm seeing AND based on the FW MATCH rule logs on my Edge/Gateway.

    This can happen if the server has no route to the clients side network. So the packets would be sent to the default gateway.
    Have the entered the clients subnet in the "Remote networks" box in the server settings?

    I have not.  I want only specific IP's listed in an alias to go through the tunnel.  If place a value in the 'Remote networks' box will that cause any issues with traffic leaving the 'Server' site to the WAN?  Right now there is nothing in that alias.  I wanted to make sure the tunnel was established first before pushing traffic through it.

    @dbennett:

    The 'client' is also a Server but on a different port (1194) for mobile client Admin access.

    So you will have to assign a separate interface to each OpenVPN instance to get a separate gateway for each. Otherwise pfSense handles the OVPN interfaces as interface-group and traffic will be partially miss-routed.

    I created an interface / Gateway for the site to site (S2S) along with an Outbound NAT rule for the Client connection to route through that interface and gateway.  I did the same thing for the S2S Server.  So I should have two OpenVPN interfaces / gateways on the client side; one for that site's server (1194) and for the S2S Client traffic (1195)?

    Again, thanks for your help!!



  • @dbennett:

    I want only specific IP's listed in an alias to go through the tunnel.  If place a value in the 'Remote networks' box will that cause any issues with traffic leaving the 'Server' site to the WAN?

    That just sets the route to the networks behind the client to the clients IP if the connection is up. It will have an private IP range.
    Your server cannot reach this network over WAN.
    You can also enter single hosts in this fields.

    @dbennett:

    I created an interface / Gateway for the site to site (S2S) along with an Outbound NAT rule for the Client connection to route through that interface and gateway.  I did the same thing for the S2S Server.  So I should have two OpenVPN interfaces / gateways on the client side; one for that site's server (1194) and for the S2S Client traffic (1195)?

    That's alright. However, bear in mind that you have to define your VPN firewall rules on this new interfaces now.


Log in to reply