OpenVPN site-to-site traffic only in one dirrection

  • First let me say that I very much like the functionality of pfSense. We use it extensively over 8 routers-firewalls in the company.

    Recently i have been struggling with establishing a site-to-site OpenVPN connection, I think that I miss something obvious. I have some other set up's where it functions correctly i don't see anything obvious that is different.

    I have been using the pfSense book example to set-up certificate based site-to-site.

    I use as OpenVPN Tunnel Network. Server side LAN is and 192.168.250/24 , client side LAN

    Server routing related config:

    Server Client Spcefic Override:

    Client routing related config:

    I can ping both ways the tunnel IP.

    From server -

    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=64 time=70.176 ms

    From client

    PING ( 56 data bytes
    64 bytes from icmp_seq=1 ttl=64 time=86.374 ms

    From Client I can ping LAN IP of Server pfSense:

    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=64 time=70.285 ms

    From Server reverse is not possible:

    PING ( 56 data bytes

    I can see packets on correct interface:

    tcpdump -i ovpns3 icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ovpns3, link-type NULL (BSD loopback), capture size 65535 bytes
    11:41:33.575865 IP > ICMP echo request, id 65152, seq 51, length 64
    11:41:34.595753 IP > ICMP echo request, id 65152, seq 52, length 64
    11:41:35.597636 IP > ICMP echo request, id 65152, seq 53, length 64
    11:41:36.599099 IP > ICMP echo request, id 65152, seq 54, length 64
    11:41:37.600601 IP > ICMP echo request, id 65152, seq 55, length 64
    11:41:38.602443 IP > ICMP echo request, id 65152, seq 56, length 64

    Nothing on the other side.

    Firewall on OpenVPN interface is set to allow all on both:


    There is correct entry in the routing table:         UGS      ovpns3

    I must be missing something obvious. But I have been staring at it for days with no luck.

    thanks in advance

  • LAYER 8 Rebel Alliance

    Adding the Client Side LAN in the Server 'IPv4 Local networks' Box is wrong.
    And your tunnel network is not RFC1918 which is also bad. Only use private address space for private networks to avoid strange problems in general.


  • Hi Rico,

    Yes I know it's not RFC1918, I plan on changing all of the once I replace previous OpenVPN infrastructure.

    I have tried in the past with and without Client Side LAN in the Server 'IPv4 Local Networks', it does seem weid to me but it's what i got from the "pfsense book" example:

    IPv4 Local Network:
    Enter the LAN networks for all sites including the server:,,

    Thanks for reading in help.

  • LAYER 8 Rebel Alliance

    In your CSO, have you double checked to select the right OpenVPN Instance and use the correct Common Name (Client Cert name 1:1)?
    Please post your Server Side routing table.


  • CFO on the server:


    From the client config:

    Routing tables
    Destination        Gateway            Flags      Netif Expire
    default            removed external   UGS      pppoe0
    removed external   link#12            UHS         lo0
    removed external   pppoe0             UHS      pppoe0         UGS      ovpnc1         UGS      ovpnc1         UGS      ovpnc1         UGS      ovpnc1          link#10            U      re1_vlan        link#10            UHS         lo0         UGS      ovpns3         UGS      ovpnc1         UGS      ovpnc1         UGS      ovpns3         link#15            UHS         lo0         link#15            UH       ovpns3         link#13            UH       ovpnc1         link#13            UHS         lo0         UGS      ovpnc1         UGS      ovpnc1
    removed external                      UGS      ovpnc1
    removed external                      UGS      ovpnc1
    removed external                      UHS         lo0
    removed external                               pppoe1
    removed external                               pppoe1
    removed external   link#12            UH       pppoe1
    localhost          link#6             UH          lo0
    removed external                      UGHS     pppoe0
    removed external                      UGHS     pppoe0        link#1             U           re0        link#1             UHS         lo0       link#9             U      re1_vlan       link#9             UHS         lo0         UGS      ovpnc1      link#2             U           re1
    Youngs3            link#2             UHS         lo0         UGS      ovpnc1      link#8             U      re1_vlan      link#8             UHS         lo0
    removed external   link#11            UH       pppoe0


  • LAYER 8 Rebel Alliance

    Looks okay to me.
    Anyway, I would:

    • wipe from the Server Side Local network Box
    • use a proper RFC1918 tunnel network
    • wipe the Tunnel Network and Remote network box from the Client side because these settings are pushed by the Server anyway.


  • It's now resolved.
    It was none of the above.

    Changing tunnel network to be /30 resolved it.
    I tested it afterwards:
    switching to /24 works in one direction
    switching to /30 full routing in both directions

    It shouldn't happen. I did try on a fresh installs of pfsense.


Log in to reply