Openvpn site to site remote network not accessible
Hello! I have an openvpn site to site tunnel between a pfsense and a windows server. The pfsense is the client, with 192.168.0.0/24 LAN ip. On the other side the windows server has 192.168.15.0/24 LAN. The openvpn tunnel has 10.0.13.0/30 address range. I can ping/tracert the client side LAN from the server side, but I can't ping the server side LAN from the client side. If I ping the 10.0.13.1 which is the server ip in the tunnel it works.
Do you have a route back to the 192.168.15.0 network?
erdeidominik99 last edited by erdeidominik99
In diagnostic/routes I have a line:
10.0.15.0/24 10.0.11.1 UGS 0 1500 ovpnc3
so yes, I have. If I tracert something in the 15.0 subnet the request goes until the local pfsense and after timeout so it can't go through the tunnel. On the windows machine whick is the server do I need any bridging or something?
You need a route to 192.168.15.0. For example, when I show the route on my notebook computer, with OpenVPN up, I see a default route through the tunnel. Do you see that? If your default route is not through the tunnel, then you'll need a specifc route to 192.168.15.0 /24. If you don't have one of those, then you have no way for packets to get back to the Windows server.
So, what does the route show?
On the clients there is no route to that network. There is only a default route to the pfsense. But that's route not to be at the pfsense? Because for example for my ipsec tunnel there is no route on the clients.
What does the default route show on the client? Does it show a route back through the tunnel? Or out to whatever network that computer is connected to? If you don't have a default route or specific that goes back to the same network as that Windows server, then you won't be able to access it. The default route can use just the tunnel, without specifying the address of the server network, but a specific route must specify 192.168.15.0.
What operating system is the client running? If we know that, we can tell you how to determine what route is available.
What does the default route show on the client?
Here's an example, on Linux:
ip -4 route show
default via 172.16.255.1 dev tun0 proto static metric 50
default via 192.168.43.149 dev wlan0 proto dhcp metric 600
172.16.255.0/24 dev tun0 proto kernel scope link src 172.16.255.2 metric 50
184.108.40.206 via 192.168.43.149 dev wlan0 proto static metric 600
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.244 metric 600
192.168.43.149 dev wlan0 proto static scope link metric 600
The default route shows the pfSense address at the other end of the tunnel and that it goes via tun0. If you had a specific route, it would have the network address, instead of default.
Finally it works! The problem wasn't at the pfsense's side. It was a windows routing problem!
Thanks for your help!
It was a windows routing problem!
Perhaps a missing route back to 192.168.15.0?