Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client to Client Openvpn connects but no traffic (Solved)

    Scheduled Pinned Locked Moved OpenVPN
    25 Posts 3 Posters 11.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Shaddoh
      last edited by

      Hello,
      Trying to get a site to site openvpn working on pfsense. The status shows as up but no traffic is passed. I have at site A a file server connected to the pfsense. from the pfsense it goes to outside. At site B i have client computers connected to a pfsense and then to the outside. My Goal is to have all the clients be able to see the file server across the vpn.  I used https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL) as my guide.

      I did use client specific override to try to connect.
      From the router at site B I can ping Computers at site A.
      From any computer on site B I can not ping anything at Site A.
      From Diagnostic Routes I can see the network from the other end.
      I have the local network as 192.168.3.1/24, If I switch it to 192.168.3.0/24 I lose the ability to ping from the router

      I used the openvpn wizard to create everything.
      I have watched tons of videos and set it up the exact same way.
      I had another person come delete everything I did and re set it up how he has done in the past and I watched him. He did everything I had done and is still at same spot of it connecting but no traffic.

      This is my first post so please any info you need more on my part just let me know

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Which site is the server, which the client?
        Are both pfSense boxes the default gateways in their networks?
        Have you add firewall rule to allow access?
        What are your local networks?
        Post the routes of both sites.

        Client specific overrides are needless for a site to site vpn.

        1 Reply Last reply Reply Quote 0
        • S
          Shaddoh
          last edited by

          Which site is the server, which the client?
          Site A is the server and site B is the client

          Are both pfSense boxes the default gateways in their networks?
          Yes both are the default gateways

          Have you add firewall rule to allow access?
          Yes, I had even changed them to any any any to verify if the firewall was causing it.

          What are your local networks?
          Site A internal is 192.168.3.1/24 this is the pfsense IP and then uses one port connected to the lan network on dhcp, and a separate port connected to a wifi device that acts as a public wifi, I have firewall rule to not allow any thing on the wifi subnet to take to the lan . The wifi network is 192.168.4.1/24

          Site B is 192.168.10.1/24 on pfsense, then it has a lan on the .10 network on dhcp, It has another port that is 192.168.11.1/24 for private wifi, another port for 192.168.12.1/24 for public wifi

          Post the routes of both sites.

          1 Reply Last reply Reply Quote 0
          • S
            Shaddoh
            last edited by

            Network map made in paint :)

            network.png_thumb
            network.png

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              Okay, and you only want to access the server in site A LAN 192.168.3.1/24 from site B LAN 192.168.10.1/24?
              Pleas post the IPv4 routing tables of both pfSense. Diagnostic > Routes

              1 Reply Last reply Reply Quote 0
              • S
                Shaddoh
                last edited by

                This is site A. The public address has been blacked out

                ![routes at site A.PNG](/public/imported_attachments/1/routes at site A.PNG)
                ![routes at site A.PNG_thumb](/public/imported_attachments/1/routes at site A.PNG_thumb)

                1 Reply Last reply Reply Quote 0
                • S
                  Shaddoh
                  last edited by

                  This is site B. The public IP has been blocked out

                  ![Site B routes.PNG_thumb](/public/imported_attachments/1/Site B routes.PNG_thumb)
                  ![Site B routes.PNG](/public/imported_attachments/1/Site B routes.PNG)

                  1 Reply Last reply Reply Quote 0
                  • S
                    Shaddoh
                    last edited by

                    And yes, the objective is to view the file server at site A from site B

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      It seems, the sreenshots are not taken from the same connection. The firest shows the vpn server with 192.168.100.1 and the client with 192.168.100.2, the second shows the server has 192.168.100.5 and the client 192.168.100.6.

                      However, it looks like there is something miss-configured at the client.
                      Have you deleted any client specific override on server?
                      Post the client settings, please.

                      1 Reply Last reply Reply Quote 0
                      • S
                        Shaddoh
                        last edited by

                        Client side config file

                        client1.PNG
                        client1.PNG_thumb

                        1 Reply Last reply Reply Quote 0
                        • S
                          Shaddoh
                          last edited by

                          Client side config page 2

                          Client2.PNG
                          Client2.PNG_thumb

                          1 Reply Last reply Reply Quote 0
                          • S
                            Shaddoh
                            last edited by

                            Client over ride on the server side

                            serverside.PNG
                            serverside.PNG_thumb

                            1 Reply Last reply Reply Quote 0
                            • V
                              viragomann
                              last edited by

                              If you only have one vpn client you don't need client specific overrides, as i've already mentioned. So you should delete it and enter the clients LAN subnet 192.168.10.0/24 into the "IPv4 Remote network(s)" box in the server config and the server sides LAN 192.168.3.0/24 into the "IPv4 Remote network(s)" box in the client settings.

                              If you have multiple clients you have to use client specific overrides, but you've it set wrong. At "IPv4 Remote network/s" you've to enter the client sides LAN 192.168.10.0/24 and at "IPv4 Local Network/s" the server sides LAN.

                              1 Reply Last reply Reply Quote 0
                              • S
                                Shaddoh
                                last edited by

                                New client side config

                                ![new client side.PNG](/public/imported_attachments/1/new client side.PNG)
                                ![new client side.PNG_thumb](/public/imported_attachments/1/new client side.PNG_thumb)

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Shaddoh
                                  last edited by

                                  New Server side config. NOTE the client specific override has been deleted

                                  ![new server side config.PNG](/public/imported_attachments/1/new server side config.PNG)
                                  ![new server side config.PNG_thumb](/public/imported_attachments/1/new server side config.PNG_thumb)

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Shaddoh
                                    last edited by

                                    We are at the same state. I restarted the openvpn service on both ends after the change. The status shows as up, but data not passing through. Please let me know  what further info I can post to help resolve this.

                                    1 Reply Last reply Reply Quote 0
                                    • V
                                      viragomann
                                      last edited by

                                      As you wrote in your first post:
                                      @Shaddoh:

                                      From the router at site B I can ping Computers at site A.
                                      From any computer on site B I can not ping anything at Site A.

                                      There are only two possible reasons for this behavior:

                                      • The pfSense at site B isn't the default gateway.

                                      • The firewall rules doesn't allow access. Check LAN rules at site B and OpenVPN rules at A.

                                      • The server at site A itself blocks the access from the other subnet. Try to shut down the servers firewall.

                                      If you have no luck use packet capture from pfSense Diagnostic menu to check where the packets are dropped while you're pinging the server from a host at A.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Shaddoh
                                        last edited by

                                        The pfSense at site B isn't the default gateway.
                                            The firewall rules doesn't allow access. Check LAN rules at site B and OpenVPN rules at A.
                                            The server at site A itself blocks the access from the other subnet. Try to shut down the servers firewall.

                                        Sire B pfsense is the default gateway. It is the router being used for DHCP there. There is a modem in front of it but that is it.
                                        I have checked the rules several times and unless I am skipping over something they are what appear to be correct. I can post pictures of the rules I have
                                        Firewall is turned off

                                        Notes:
                                        I read some other forum, where someone was asked to create an interface named openvpn and then create rules in there. What i did was use the wizard and it created rules under firewall>rules> openvpn

                                        Upgraded the site A pfsense to latest version. thought it may have been a bug or something. But did not help

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Shaddoh
                                          last edited by

                                          These are firewalls on Site A the server side. Hosting openVPN

                                          GuestWIFISiteA.png
                                          GuestWIFISiteA.png_thumb
                                          LANSiteA.png
                                          LANSiteA.png_thumb
                                          WANSiteA.png
                                          WANSiteA.png_thumb
                                          openvpnSiteA.png
                                          openvpnSiteA.png_thumb

                                          1 Reply Last reply Reply Quote 0
                                          • B
                                            bjquinn
                                            last edited by

                                            Hi, I'm working on the same VPN setup as Shaddoh.  We went ahead and upgraded both pfSense routers to 2.3.2_1, deleted all the openvpn configurated and started over again, creating the openvpn setup with the wizard.  Firewall rules look ok.  Both client and server now see each others' tunnel IPs as the same (server is 10.0.8.1, client is 10.0.8.2) as opposed to the .1 .2 / .5 .6 mismatch we were seeing before.

                                            Computer on Server's LAN network 192.168.3.50
                                            Server LAN IP 192.168.3.1
                                            Server tunnel IP 10.0.8.1
                                            Client tunnel IP 10.0.8.2
                                            Client LAN IP 192.168.10.1
                                            Computer on Client's LAN network 192.168.10.13

                                            192.168.3.50 can ping all IPs through and including 10.0.8.2, but no further.
                                            192.168.3.1 (i.e. pinging from pfSense server, specifing LAN interface) can ping through to 10.0.8.2, but no further.
                                            10.0.8.1 (i.e. pinging from pfSense server, specifying OpenVPN Server) can ping through to 10.0.8.2, but no further.

                                            Obviously, traffic is flowing over the VPN, but from the server side, it can get to 10.0.8.2 but not from there to 192.168.10.x.

                                            192.168.10.1 (pfSense client, specifying LAN interface) can ping through to 10.0.8.2, but no further.  Unlike server -> client, in this direction the client pfsense LAN interface cannot see the tunnel IP on the server end.
                                            10.0.8.2 (i.e. pinging from pfSense client, specifying OpenVPN client) can ping all the way through to 192.168.3.50.  BUT!  It can't ping 192.168.10.13, which is on the same physical network!

                                            I must have some routing issue, but I can't quite understand what it could be.  192.168.3.50 can get through to 10.0.8.2, but NOT to 192.168.10.1.  Then 10.0.8.2 can get to 192.168.10.1, though it can't see 192.168.10.13, and obviously 192.168.10.1 can ping 192.168.10.13.

                                            The problem seems to be getting from 10.0.8.2 to IPs that are physically on the same pfSense router, though it can connect to the LAN IP of that router.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.