Site-to-Site VPN not routing back
I have the following setup:
Main office -
Networks: 10.1.0.0/16, 10.196.54.128/26
Branch office -
I set up the OpenVPN server at the main office with the tunnel network 10.1.0.0/24
Tunnel settings local networks: (10.1.0.0/16, 10.196.54.128/26)
Tunnel settings remote networks: 192.168.1.0/24
The VPN connects just fine. From the branch office I can ping all my servers/services at the main office, but only from pfsense on the VPN interface.
I want to be able to have client PCs at the branch office access services/servers at the main office.
When I try and ping IPs at the main office from PCs at the branch office, I get no reply. I did a packet capture at the main office and I can see the ICMP request, but the main office isn't replying back.
I checked my routes at the main office and didn't see any reference to the 192.168.1.0/24 network.
I assumed setting the remote and local networks would have built those routes?
I checked the firewall rules, and I have rules allowing all typed from the remote office to the main office. I don't think its a firewall issue.
Am I doing the site-to-site thing correct?
pfsense version: 2.4.1
jammcla last edited by
the immediate issue I see with that configuration is the tunnel network is a /24 that fits within the main office's network /16
I would start by making the tunnel network something that isn't overlapping your current office network.
The openVPN will auto create routes to the other networks.
I changed the tunnel network to 10.0.0.0/24 (Out of the main office range).
I see a route made at the main office for 192.168.1.0/24 via gw 10.0.0.2
I have no idea where it is getting the 10.0.0.2 address from.
I see a route made at the branch office for 10.1.0.0/16 via gw 10.0.0.1
The only ping that works now is from the main office pfsense to the remote office pfsense client tunnel IP (10.0.0.109).
Correction: I get the same behavior as before. From the remote branch pfsense I am able to ping everything at the main office, but only from the firewall on the openVPN interface. If I try and ping from clients on the 192.168.1.0/24 lan I get no reply from the main office.
Update: I no longer see anything from the remote office in the packet capture on the main server. I'm not sure where my traffic is going…
jammcla last edited by
The routes you are seeing are coming from the tunnel network. The pfsense that you created the server on should be the first ip in the tunnel range and the client will be the 2nd ip in that range. so that is looking good.
Go into the openvpn configuration and just try clicking apply to apply the settings again.
Are the pfsense boxes the main gateway in each site?
Yes, on each site pfSense is the main gateway/router.
I applied the config and rebooted pfSense on both ends, still no luck.
Ping attempt from the branch office:
PING 10.1.1.9 (10.1.1.9) from 192.168.1.1: 56 data bytes --- 10.1.1.9 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss
This is an attempt to ping one of my servers (10.1.1.9) from the LAN interface at the branch office.
Here is some more interesting behavior:
I can ping the main office LAN gw (10.1.1.1) from the branch office on the VPN interface:
PING 10.1.1.1 (10.1.1.1) from 10.0.0.109: 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=51.527 ms 64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=84.772 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=27.185 ms --- 10.1.1.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 27.185/54.495/84.772/23.603 ms
But I cannot ping servers from the VPN interface at the branch office:
PING 10.1.1.9 (10.1.1.9) from 10.0.0.109: 56 data bytes --- 10.1.1.9 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss
I cannot ping the main office LAN gw from the branch office LAN
PING 10.1.1.1 (10.1.1.1) from 192.168.1.1: 56 data bytes --- 10.1.1.1 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss
Routes at the branch office:
10.0.0.0/24 gw 10.0.0.1
10.1.0.0/16 gw 10.0.0.1
10.196.54.128/26 gw 10.0.0.1
Routes at the main office
10.0.0.0/24 gw 10.0.0.2
192.168.1.0/24 gw 10.0.0.2