Cannot reach certain IPs on remote LAN across OpenVPN site-to-site connection



  • This is a strange one that I can't get my head around.
    We have a site-to-site OpenVPN set-up something like this:

    Site A:192.168.0.0/24 (OpenVPN Server) –---> 10.0.0.9/24 (Tunnel Network)  -------Site B:192.168.3.0/24 (OpenVPN Client)

    From Site B, I can reach the following IPs on Site A:

    • 192.168.0.1 - (pfSense box)

    • 192.168.0.3 - (server)

    However, I cannot reach 192.168.0.47 (which is a desktop machine on Site A) from Site B
    When I'm positioned on Site A I can reach the same machine just fine.

    What could I possibly have in my set-up that allows me to reach certain IPs in Site A from Site B - but not all of them?



  • Some further information on this.

    Running a tracert from Site B to a reachable machine in Site A yields the following:

    $>tracert 192.168.0.1
    
    Tracing route to 192.168.0.1 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  pfSense-jm.archway.local [192.168.3.1]
      2    71 ms    54 ms    62 ms  192.168.0.1
    

    Running tracert against the unreachable IP yields the following:

    $>tracert 192.168.0.47
    
    Tracing route to archway-pc05.archway.local [192.168.0.47]
    over a maximum of 30 hops:
    
      1    <1 ms    <1 ms    <1 ms  pfSense-jm.archway.local [192.168.3.1]
      2     *       64 ms    52 ms  10.0.9.1
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.
      6     *        *        *     Request timed out.
    

    Note how it's heading out the Tunnel network. Would this be expected behavior?



  • Packet Capture is your friend. Have you tried doing a packet capture on the LAN interface of the firewall on Site A as you try to do a traceroute to 192.168.0.47 ?

    Is .47 reachable from the firewall in the same site? You might double check your subnet mask on both devices to make sure they are /24 (255.255.255.0).

    Is the firewall on on this particular workstation? Can you turn it off and test again?



  • If the .47 device is a Windows client then it probably has its own firewall settings that respond to ping from the local subnet but not to remote pings from outside the subnet.