client ping does not work to clients in other network



  • Hello!

    Today I set up my openvpn site to site connection. To connect both sides I decided to use certificates. The connection works. A tunnel is available and everything seems fine.

    But when I try to ping from one client in network A to an other client in network B it does not work. It seems that icmp packages are routet to the internet and not into the tunnel.

    But "netstat -r" shows the right routes as far I understand.

    Network A: 192.168.30.0/24
    Network B: 192.168.2.0/24
    Tunnelnet: 172.16.0.0/24

    # Side A (192.168.30.0/24)
    172.16.0.0/24      172.16.0.1         UGS      ovpnc1
    172.16.0.1         link#9             UH       ovpnc1
    172.16.0.2         link#9             UHS         lo0
    192.168.2.0/24     172.16.0.1         UGS      ovpnc1
    
    # Side B (192.168.2.0/24)
    172.16.0.0/24      172.16.0.2         UGS      ovpns2
    172.16.0.1         link#9             UHS         lo0
    172.16.0.2         link#9             UH       ovpns2
    192.168.30.0/24    172.16.0.2         UGS      ovpns2
    

    The funny thing is: When I use pre-shared key authentication everything works fine. Pings from client to client through the tunnel works.

    I have no idea to find out the problem so I hope you can help me to solve this.



  • Use a /30 tunnel for a site to site VPN.
    If you are running multiple VPN instances on one side also assign interfaces to them.


  • LAYER 8 Rebel Alliance

    /24 subnet is totally okay to run as tunnel network in PKI.
    Do you have set your iroutes?
    Check the iroutes section in https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-pki-ssl-openvpn-instance.html if not.
    Firewall Rules in place?

    -Rico



  • thank you for your reply. I will try it out today.

    I am wondering why it works with pre-shared key but not with certificates. What is the reason?


  • LAYER 8 Rebel Alliance

    In a Site to Site Shared Key you always can only have two sites per Instance, your Server is .1 and Client is .2
    Even if you specify a /24 tunnel network only /30 is used. So for OpenVPN it is no problem to know how the traffic flows.

    In Site to Site PKI you can have many sites per Instance, so even if you have only two sites OpenVPN need to know how to route traffic internally. This is done by iroutes, even if you only have two sites and use a /30 tunnel you always need to set iroutes in a PKI Instance.

    -Rico



  • Thank you for this explaination. Now my vpn works fine.


  • LAYER 8 Rebel Alliance

    Glad you have it working now. ☺

    -Rico