OPENVPN - Connected but no ping!!!

rwijnands

Hi all,

I'm trying to interconnected three sites.
I've managed to built the 2 vpns from the main office to 2 other sites, fully operational, following the guide from this website. It's really a step by step guide, perfectly explained.

But, when i try to interconnect the 2 subsites the vpn DOES connect AND i can ping the vpn endpoints (10.0.28.1 & 10.0.28.2) but NOT any ip on the local subnets.

Does anyone have an idea where to look next? I've been struggeling with this issue for quite a few days now, read a lot of manuals and topics on the forums but i don't see where i go wrong.

Thanks in advance

viragomann

So in contrast to the mentioned guide, you have one server, but two clients?
That won't work with preshared key. The server will not know which network is behind which client.

You either have to set up two OpenVPN servers, one for each site, or you switch to SSL mode and setup client specific overrides for both clients.

rwijnands

No, no...every connection is a server-client pair, on different ports.

johnpoz

@rwijnands said in OPENVPN - Connected but no ping!!!:

but NOT any ip on the local subnets.

Can you ping the lan side IPs of the pfsense on the other side? If so then your problem talking to devices on the other sides is most likely host firewalls or those clients not using pfsense as their default gateway.

His drawing has a huge typo as well he calls out a 10.4.2/24 network on the lan but says pfsense IP is 10.40.30.254

Site to site vpn
https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-pki-ssl-openvpn-instance.html

rwijnands

Not even doing a PING from one firewall to the other firewall (LAN IP) gave a reply. Only the VPN's internal ip's replied, (10.0.28.1 <-----> 10.0.28.2 )

But....Found it!

As Jimp said in this thread, these problems always come down to routing or rules. So, i checked the routing table and i did not see a route to the otherside LAN.
I added them on both sides and it works now!

Strange that the route was not dynamically added, isn't it? The other VPN's added their routes without my help.

Thanks guys!

viragomann

The routes should be managed by OpenVPN, if you have entered the respective remote network into the "Remote Network(s)" box in the settings and if you haven't checked "Don't add/remove routes" in the client settings.

rwijnands

Ok, final update.
Eliminated everything that had to do with this VPN, interface, rules, etc.

Started all over, following all the steps, and everything is working as it should, without the manual routes.

By the way, if you run into the routing problem, you can change the "Gateway creation" to BOTH or to IPv4 ONLY and apply/save ont both server and client side(!)

That creates the new route.

Thanks all for your time and effort