Client to Client Openvpn connects but no traffic (Solved)

Shaddoh · Jan 17, 2017, 9:31 PM

Hello,
Trying to get a site to site openvpn working on pfsense. The status shows as up but no traffic is passed. I have at site A a file server connected to the pfsense. from the pfsense it goes to outside. At site B i have client computers connected to a pfsense and then to the outside. My Goal is to have all the clients be able to see the file server across the vpn. I used https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL) as my guide.

I did use client specific override to try to connect.
From the router at site B I can ping Computers at site A.
From any computer on site B I can not ping anything at Site A.
From Diagnostic Routes I can see the network from the other end.
I have the local network as 192.168.3.1/24, If I switch it to 192.168.3.0/24 I lose the ability to ping from the router

I used the openvpn wizard to create everything.
I have watched tons of videos and set it up the exact same way.
I had another person come delete everything I did and re set it up how he has done in the past and I watched him. He did everything I had done and is still at same spot of it connecting but no traffic.

This is my first post so please any info you need more on my part just let me know

viragomann · Dec 14, 2016, 9:09 PM

Which site is the server, which the client?
Are both pfSense boxes the default gateways in their networks?
Have you add firewall rule to allow access?
What are your local networks?
Post the routes of both sites.

Client specific overrides are needless for a site to site vpn.

Shaddoh · Dec 14, 2016, 10:14 PM

Which site is the server, which the client?
Site A is the server and site B is the client

Are both pfSense boxes the default gateways in their networks?
Yes both are the default gateways

Have you add firewall rule to allow access?
Yes, I had even changed them to any any any to verify if the firewall was causing it.

What are your local networks?
Site A internal is 192.168.3.1/24 this is the pfsense IP and then uses one port connected to the lan network on dhcp, and a separate port connected to a wifi device that acts as a public wifi, I have firewall rule to not allow any thing on the wifi subnet to take to the lan . The wifi network is 192.168.4.1/24

Site B is 192.168.10.1/24 on pfsense, then it has a lan on the .10 network on dhcp, It has another port that is 192.168.11.1/24 for private wifi, another port for 192.168.12.1/24 for public wifi

Post the routes of both sites.

Shaddoh · Dec 14, 2016, 10:15 PM

Network map made in paint :)

viragomann · Dec 15, 2016, 12:05 PM

Okay, and you only want to access the server in site A LAN 192.168.3.1/24 from site B LAN 192.168.10.1/24?
Pleas post the IPv4 routing tables of both pfSense. Diagnostic > Routes

Shaddoh · Dec 21, 2016, 3:52 PM

This is site A. The public address has been blacked out

![routes at site A.PNG](/public/imported_attachments/1/routes at site A.PNG)
![routes at site A.PNG_thumb](/public/imported_attachments/1/routes at site A.PNG_thumb)

Shaddoh · Dec 21, 2016, 3:53 PM

This is site B. The public IP has been blocked out

![Site B routes.PNG_thumb](/public/imported_attachments/1/Site B routes.PNG_thumb)
![Site B routes.PNG](/public/imported_attachments/1/Site B routes.PNG)

Shaddoh · Dec 21, 2016, 3:54 PM

And yes, the objective is to view the file server at site A from site B

viragomann · Dec 21, 2016, 5:26 PM

It seems, the sreenshots are not taken from the same connection. The firest shows the vpn server with 192.168.100.1 and the client with 192.168.100.2, the second shows the server has 192.168.100.5 and the client 192.168.100.6.

However, it looks like there is something miss-configured at the client.
Have you deleted any client specific override on server?
Post the client settings, please.

Shaddoh · Dec 29, 2016, 9:34 PM

Client side config file

Shaddoh · Dec 29, 2016, 9:34 PM

Client side config page 2

Shaddoh · Dec 29, 2016, 9:37 PM

Client over ride on the server side

viragomann · Dec 30, 2016, 2:03 PM

If you only have one vpn client you don't need client specific overrides, as i've already mentioned. So you should delete it and enter the clients LAN subnet 192.168.10.0/24 into the "IPv4 Remote network(s)" box in the server config and the server sides LAN 192.168.3.0/24 into the "IPv4 Remote network(s)" box in the client settings.

If you have multiple clients you have to use client specific overrides, but you've it set wrong. At "IPv4 Remote network/s" you've to enter the client sides LAN 192.168.10.0/24 and at "IPv4 Local Network/s" the server sides LAN.

Shaddoh · Jan 3, 2017, 1:33 AM

New client side config

![new client side.PNG](/public/imported_attachments/1/new client side.PNG)
![new client side.PNG_thumb](/public/imported_attachments/1/new client side.PNG_thumb)

Shaddoh · Jan 3, 2017, 1:37 AM

New Server side config. NOTE the client specific override has been deleted

![new server side config.PNG](/public/imported_attachments/1/new server side config.PNG)
![new server side config.PNG_thumb](/public/imported_attachments/1/new server side config.PNG_thumb)

Shaddoh · Jan 3, 2017, 1:39 AM

We are at the same state. I restarted the openvpn service on both ends after the change. The status shows as up, but data not passing through. Please let me know what further info I can post to help resolve this.

viragomann · Jan 3, 2017, 10:37 AM

As you wrote in your first post:
@Shaddoh:

From the router at site B I can ping Computers at site A.
From any computer on site B I can not ping anything at Site A.

There are only two possible reasons for this behavior:

The pfSense at site B isn't the default gateway.
The firewall rules doesn't allow access. Check LAN rules at site B and OpenVPN rules at A.
The server at site A itself blocks the access from the other subnet. Try to shut down the servers firewall.

If you have no luck use packet capture from pfSense Diagnostic menu to check where the packets are dropped while you're pinging the server from a host at A.

Shaddoh · Jan 4, 2017, 8:33 PM

The pfSense at site B isn't the default gateway.
The firewall rules doesn't allow access. Check LAN rules at site B and OpenVPN rules at A.
The server at site A itself blocks the access from the other subnet. Try to shut down the servers firewall.

Sire B pfsense is the default gateway. It is the router being used for DHCP there. There is a modem in front of it but that is it.
I have checked the rules several times and unless I am skipping over something they are what appear to be correct. I can post pictures of the rules I have
Firewall is turned off

Notes:
I read some other forum, where someone was asked to create an interface named openvpn and then create rules in there. What i did was use the wizard and it created rules under firewall>rules> openvpn

Upgraded the site A pfsense to latest version. thought it may have been a bug or something. But did not help

Shaddoh · Jan 4, 2017, 8:36 PM

These are firewalls on Site A the server side. Hosting openVPN

bjquinn · Jan 14, 2017, 6:51 PM

Hi, I'm working on the same VPN setup as Shaddoh. We went ahead and upgraded both pfSense routers to 2.3.2_1, deleted all the openvpn configurated and started over again, creating the openvpn setup with the wizard. Firewall rules look ok. Both client and server now see each others' tunnel IPs as the same (server is 10.0.8.1, client is 10.0.8.2) as opposed to the .1 .2 / .5 .6 mismatch we were seeing before.

Computer on Server's LAN network 192.168.3.50
Server LAN IP 192.168.3.1
Server tunnel IP 10.0.8.1
Client tunnel IP 10.0.8.2
Client LAN IP 192.168.10.1
Computer on Client's LAN network 192.168.10.13

192.168.3.50 can ping all IPs through and including 10.0.8.2, but no further.
192.168.3.1 (i.e. pinging from pfSense server, specifing LAN interface) can ping through to 10.0.8.2, but no further.
10.0.8.1 (i.e. pinging from pfSense server, specifying OpenVPN Server) can ping through to 10.0.8.2, but no further.

Obviously, traffic is flowing over the VPN, but from the server side, it can get to 10.0.8.2 but not from there to 192.168.10.x.

192.168.10.1 (pfSense client, specifying LAN interface) can ping through to 10.0.8.2, but no further. Unlike server -> client, in this direction the client pfsense LAN interface cannot see the tunnel IP on the server end.
10.0.8.2 (i.e. pinging from pfSense client, specifying OpenVPN client) can ping all the way through to 192.168.3.50. BUT! It can't ping 192.168.10.13, which is on the same physical network!

I must have some routing issue, but I can't quite understand what it could be. 192.168.3.50 can get through to 10.0.8.2, but NOT to 192.168.10.1. Then 10.0.8.2 can get to 192.168.10.1, though it can't see 192.168.10.13, and obviously 192.168.10.1 can ping 192.168.10.13.

The problem seems to be getting from 10.0.8.2 to IPs that are physically on the same pfSense router, though it can connect to the LAN IP of that router.