Cannot reach certain IPs on remote LAN across OpenVPN site-to-site connection

  • This is a strange one that I can't get my head around.
    We have a site-to-site OpenVPN set-up something like this:

    Site A: (OpenVPN Server) –---> (Tunnel Network)  -------Site B: (OpenVPN Client)

    From Site B, I can reach the following IPs on Site A:

    • - (pfSense box)

    • - (server)

    However, I cannot reach (which is a desktop machine on Site A) from Site B
    When I'm positioned on Site A I can reach the same machine just fine.

    What could I possibly have in my set-up that allows me to reach certain IPs in Site A from Site B - but not all of them?

  • Some further information on this.

    Running a tracert from Site B to a reachable machine in Site A yields the following:

    Tracing route to over a maximum of 30 hops
      1    <1 ms    <1 ms    <1 ms  pfSense-jm.archway.local []
      2    71 ms    54 ms    62 ms

    Running tracert against the unreachable IP yields the following:

    Tracing route to archway-pc05.archway.local []
    over a maximum of 30 hops:
      1    <1 ms    <1 ms    <1 ms  pfSense-jm.archway.local []
      2     *       64 ms    52 ms
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.
      6     *        *        *     Request timed out.

    Note how it's heading out the Tunnel network. Would this be expected behavior?

  • Packet Capture is your friend. Have you tried doing a packet capture on the LAN interface of the firewall on Site A as you try to do a traceroute to ?

    Is .47 reachable from the firewall in the same site? You might double check your subnet mask on both devices to make sure they are /24 (

    Is the firewall on on this particular workstation? Can you turn it off and test again?

  • If the .47 device is a Windows client then it probably has its own firewall settings that respond to ping from the local subnet but not to remote pings from outside the subnet.