client ping does not work to clients in other network
Today I set up my openvpn site to site connection. To connect both sides I decided to use certificates. The connection works. A tunnel is available and everything seems fine.
But when I try to ping from one client in network A to an other client in network B it does not work. It seems that icmp packages are routet to the internet and not into the tunnel.
But "netstat -r" shows the right routes as far I understand.
Network A: 192.168.30.0/24
Network B: 192.168.2.0/24
# Side A (192.168.30.0/24) 172.16.0.0/24 172.16.0.1 UGS ovpnc1 172.16.0.1 link#9 UH ovpnc1 172.16.0.2 link#9 UHS lo0 192.168.2.0/24 172.16.0.1 UGS ovpnc1
# Side B (192.168.2.0/24) 172.16.0.0/24 172.16.0.2 UGS ovpns2 172.16.0.1 link#9 UHS lo0 172.16.0.2 link#9 UH ovpns2 192.168.30.0/24 172.16.0.2 UGS ovpns2
The funny thing is: When I use pre-shared key authentication everything works fine. Pings from client to client through the tunnel works.
I have no idea to find out the problem so I hope you can help me to solve this.
Use a /30 tunnel for a site to site VPN.
If you are running multiple VPN instances on one side also assign interfaces to them.
/24 subnet is totally okay to run as tunnel network in PKI.
Do you have set your iroutes?
Check the iroutes section in https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-pki-ssl-openvpn-instance.html if not.
Firewall Rules in place?
thank you for your reply. I will try it out today.
I am wondering why it works with pre-shared key but not with certificates. What is the reason?
In a Site to Site Shared Key you always can only have two sites per Instance, your Server is .1 and Client is .2
Even if you specify a /24 tunnel network only /30 is used. So for OpenVPN it is no problem to know how the traffic flows.
In Site to Site PKI you can have many sites per Instance, so even if you have only two sites OpenVPN need to know how to route traffic internally. This is done by iroutes, even if you only have two sites and use a /30 tunnel you always need to set iroutes in a PKI Instance.
Thank you for this explaination. Now my vpn works fine.
Glad you have it working now.