Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site access on both sides

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 3 Posters 618 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pixelrebel
      last edited by

      I'm missing something in my configuration.  I have site-to-site working and hosts at the remote site can ping hosts at headquarters.  However hosts at headquarters can't ping remote hosts.

      Our OVPN config at HQ hands out an IP address to the client pfsense at the remote site something like 10.0.10.2.  That remote pfsense is handing out IPs to its hosts (i.e 10.0.11.21)

      When I log into the HQ pfsense, and try to ping 10.0.11.21 from the cli, it doesn't work.  tcpdump on the remote host shows it's not even receiving the ping request.

      FWIW, I have been able to get normal OVPN to work in both directions, but site-to-site seems to require another level of NAT, so I'm stuck.

      Thanks in advance for your time!

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        No, there's no NAT needed for site-to-site, but a view routing options.

        In the server settings have you entered the appropriate subnets in "IPv4 Local network(s)" and "IPv4 Remote network(s)"?
        Also in the client settings you have to enter the server sides LAN subnets you want to access in "IPv4 Remote network(s)".
        Furthermore you need firewall rules on both sites to allow the access.

        1 Reply Last reply Reply Quote 0
        • A Offline
          authenticx
          last edited by

          You need a route on the client settings to the server side subnet and the iroute on the connecting client to the server side subnet in order for the Clint subnet to respond to packets from the server side subnet.

          Example
          If your server side subnet is 10.2.0.0/24 you need to add iroute 10.2.0.0/24 to the client specific overrides section of the OpenVPN configuration on the client side

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.