Site-to-Site access on both sides
I'm missing something in my configuration. I have site-to-site working and hosts at the remote site can ping hosts at headquarters. However hosts at headquarters can't ping remote hosts.
Our OVPN config at HQ hands out an IP address to the client pfsense at the remote site something like 10.0.10.2. That remote pfsense is handing out IPs to its hosts (i.e 10.0.11.21)
When I log into the HQ pfsense, and try to ping 10.0.11.21 from the cli, it doesn't work. tcpdump on the remote host shows it's not even receiving the ping request.
FWIW, I have been able to get normal OVPN to work in both directions, but site-to-site seems to require another level of NAT, so I'm stuck.
Thanks in advance for your time!
No, there's no NAT needed for site-to-site, but a view routing options.
In the server settings have you entered the appropriate subnets in "IPv4 Local network(s)" and "IPv4 Remote network(s)"?
Also in the client settings you have to enter the server sides LAN subnets you want to access in "IPv4 Remote network(s)".
Furthermore you need firewall rules on both sites to allow the access.
You need a route on the client settings to the server side subnet and the iroute on the connecting client to the server side subnet in order for the Clint subnet to respond to packets from the server side subnet.
If your server side subnet is 10.2.0.0/24 you need to add iroute 10.2.0.0/24 to the client specific overrides section of the OpenVPN configuration on the client side