Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    client ping does not work to clients in other network

    OpenVPN
    certificat authentication
    3
    7
    978
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hannes.hutmacher
      last edited by

      Hello!

      Today I set up my openvpn site to site connection. To connect both sides I decided to use certificates. The connection works. A tunnel is available and everything seems fine.

      But when I try to ping from one client in network A to an other client in network B it does not work. It seems that icmp packages are routet to the internet and not into the tunnel.

      But "netstat -r" shows the right routes as far I understand.

      Network A: 192.168.30.0/24
      Network B: 192.168.2.0/24
      Tunnelnet: 172.16.0.0/24

      # Side A (192.168.30.0/24)
      172.16.0.0/24      172.16.0.1         UGS      ovpnc1
      172.16.0.1         link#9             UH       ovpnc1
      172.16.0.2         link#9             UHS         lo0
      192.168.2.0/24     172.16.0.1         UGS      ovpnc1
      
      # Side B (192.168.2.0/24)
      172.16.0.0/24      172.16.0.2         UGS      ovpns2
      172.16.0.1         link#9             UHS         lo0
      172.16.0.2         link#9             UH       ovpns2
      192.168.30.0/24    172.16.0.2         UGS      ovpns2
      

      The funny thing is: When I use pre-shared key authentication everything works fine. Pings from client to client through the tunnel works.

      I have no idea to find out the problem so I hope you can help me to solve this.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Use a /30 tunnel for a site to site VPN.
        If you are running multiple VPN instances on one side also assign interfaces to them.

        1 Reply Last reply Reply Quote 2
        • RicoR
          Rico LAYER 8 Rebel Alliance
          last edited by

          /24 subnet is totally okay to run as tunnel network in PKI.
          Do you have set your iroutes?
          Check the iroutes section in https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-pki-ssl-openvpn-instance.html if not.
          Firewall Rules in place?

          -Rico

          1 Reply Last reply Reply Quote 2
          • H
            hannes.hutmacher
            last edited by

            thank you for your reply. I will try it out today.

            I am wondering why it works with pre-shared key but not with certificates. What is the reason?

            1 Reply Last reply Reply Quote 0
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by Rico

              In a Site to Site Shared Key you always can only have two sites per Instance, your Server is .1 and Client is .2
              Even if you specify a /24 tunnel network only /30 is used. So for OpenVPN it is no problem to know how the traffic flows.

              In Site to Site PKI you can have many sites per Instance, so even if you have only two sites OpenVPN need to know how to route traffic internally. This is done by iroutes, even if you only have two sites and use a /30 tunnel you always need to set iroutes in a PKI Instance.

              -Rico

              1 Reply Last reply Reply Quote 2
              • H
                hannes.hutmacher
                last edited by

                Thank you for this explaination. Now my vpn works fine.

                1 Reply Last reply Reply Quote 1
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  Glad you have it working now. ☺

                  -Rico

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.