Pinging tunnel networks in site-to-site



  • Hi,

    I have one server and two clients which I have setup using this guide:
    https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

    On the server I can see now two connections, 10.0.8.3 & 10.0.8.4, so I am guessing everything is connected. (not sure why 10.0.8.2 has not been used)

    On the server I can ping 10.0.8.1 & 10.0.8.3 however I am unable to ping 10.0.8.4

    I thought I had setup both clients the same and I have checked and double checked…

    Can anyone suggest a possible explanation please



  • Testing and restarted server. I now have:
    10.0.8.2
    10.0.8.3

    I am able to ping 10.0.8.2 but not 10.0.8.3


  • Netgate

    I have one server and two clients which I have setup using this guide:

    Is this one node with two server processes and two clients connecting to it, one node with a server process and two client processes? What?

    A diagram is worth a thousand words.

    What are the tunnel networks you defined in everything?

    How about you post the connection status page?



  • Hi Derelict,

    This is a single server process with two remote clients connecting to it.

    Tunnel network is 10.0.8.0/24

    I have attached a copy of the connections page



  • Netgate

    On the server I can ping 10.0.8.1 & 10.0.8.3 however I am unable to ping 10.0.8.4

    Why would you be able to ping 10.0.8.4? It's not connected.



  • My apologies, let me clarify

    Originally Remote1@10.0.8.3 & Remote2@10.0.8.4 were both connected and only Remote1@10.0.8.3 could be pinged.

    When I restarted the server the IPs changed to Remote1@10.0.8.2 & Remote2@10.0.8.3

    Now I can ping Remote1@10.0.8.2 but not Remote2@10.0.8.3

    Both before and after the restart Remote2 is unable to be pinged.



  • username@server:~$ ping 10.0.8.1 -c 4
    PING 10.0.8.1 (10.0.8.1) 56(84) bytes of data.
    64 bytes from 10.0.8.1: icmp_seq=1 ttl=64 time=2.12 ms
    64 bytes from 10.0.8.1: icmp_seq=2 ttl=64 time=2.24 ms
    64 bytes from 10.0.8.1: icmp_seq=3 ttl=64 time=1.74 ms
    64 bytes from 10.0.8.1: icmp_seq=4 ttl=64 time=1.99 ms

    –- 10.0.8.1 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3005ms
    rtt min/avg/max/mdev = 1.747/2.029/2.249/0.186 ms
    username@server:~$ ping 10.0.8.2 -c 4
    PING 10.0.8.2 (10.0.8.2) 56(84) bytes of data.
    64 bytes from 10.0.8.2: icmp_seq=1 ttl=63 time=24.4 ms
    64 bytes from 10.0.8.2: icmp_seq=2 ttl=63 time=29.8 ms
    64 bytes from 10.0.8.2: icmp_seq=3 ttl=63 time=23.7 ms
    64 bytes from 10.0.8.2: icmp_seq=4 ttl=63 time=31.5 ms

    --- 10.0.8.2 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3003ms
    rtt min/avg/max/mdev = 23.765/27.388/31.510/3.344 ms
    username@server:~$ ping 10.0.8.3 -c 4
    PING 10.0.8.3 (10.0.8.3) 56(84) bytes of data.

    --- 10.0.8.3 ping statistics ---
    4 packets transmitted, 0 received, 100% packet loss, time 2999ms



  • Progress…

    I can now ping both 10.0.8.2 & 10.0.8.3 from the server

    The problem was I had the OpenVPN FW rule on Remote2@10.0.8.3 protocol set to UDP. When I changed it to ANY it works.

    Not I know the VPN connections are working I will tackle making Remote1 & Remote2 accessible from the server LAN.



  • Now my VPN connection is up I have 3 remaining pieces to this puzzle:

    1. On the server set values for IPv4 Local Network & IPv4 Remote Network

    2. On the clients set value for IPv4 Remote Network

    3. On the set values for iroutes as per https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes

    Server IPv4 Local Network value
    "IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network."
    =>My thinking here is this should be left bank as I do not want the server LAN to be accessible from the client LANs just the clients LANs accessible from the server LAN.

    Server IPv4 Remote Network value
    "IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN."
    => My thinking here is that this should be set to the two remote CIDR ranges.

    Clients IPv4 Remote Network Value
    "IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. May be left blank for non site-to-site VPN."
    => My thinking here is that this should be set to the client CIDR range

    => Not sure what to do here

    • At this point all pfsense boxes can ping 10.0.8.1, 10.0.8.2 & 10.0.8.3


  • I hope this diagram may assist in explaining what I seek to achieve.

    I wish the server LAN to be able to access both client LANs however I do not wish the client LANs to be able to access anything through the VPN.

    ![Blank Diagram - Page 1.png](/public/imported_attachments/1/Blank Diagram - Page 1.png)
    ![Blank Diagram - Page 1.png_thumb](/public/imported_attachments/1/Blank Diagram - Page 1.png_thumb)


  • Netgate

    So don't put any OpenVPN rules on the server and put pass src 192.168.0.1/24 dest any rules on each client.

    I would stop fixating so much on the OpenVPN interface addresses. They can be weird.

    https://doc.pfsense.org/index.php/Why_can't_I_ping_some_OpenVPN_adapter_addresses



  • OK, apologies if I am sounding pedantic however I wish to ensure I have understood you correctly.

    Previously on both server & clients under OpenVPN firewall rules I had proto:any src:any dest:any

    With this in place the client pfsense could ping the server pfsense however not the other way round

    I have now removed the OpenVPN rule from the firewall on the server

    With this change the pfsense boxes can not ping each other.

    Obviously, I have missed something. My thoughts are:
    a) I have not created any iroutes anywhere (mentioned inthe guide I was following but didn't understand them)
    b) I may have mucked up the values for remote and local network on the server & clients

    Thanks for your help here. It is appreciated.



  • Can I please clarify.

    a) on the vpn server I have set:
    IPv4 Local Network: 192.168.1.0/24
    IPv4 Remote Networks: 192.168.16.0/24, 10.0.0.0/24

    b) on the vpn clients I have set:
    IPv4 Remote Networks: 192.168.1.0/24

    Does this look correct?



  • Tunnel settngs as per post above.





  • Netgate

    a) I have not created any iroutes anywhere (mentioned inthe guide I was following but didn't understand them)

    If you are running an SSL/TLS server with a tunnel network larger than a /30 and have routed subnets and no iroutes it is not going to work.

    Add the remote networks for each CN to a client specific override.