openVPN site to site - client cannot reach server side network ( can reach server )



  • Hi,

    I have pfsense (2.4.4-p2) installed at two sites.
    On one of them is at the main office and I created to openvpn server ( 10.11.2.2/16 ).
    The second one is locate in branch office and setup as openvpn client (192.168.169.1/24).
    tunnel ip 192.168.188.0/24
    both side pfsense is the gateway for user machines ( firewall disabled )

    from server side network i can reach client side pfsense and network pc eg: 192.168.169.10
    but from client side i can ping only pfsense server ( 10.11.2.2 ) not any other devices under 10.11.0.0/16
    both pfsense firewall openvpn settings are any to any ...

    a traceroute from client network reach as follows:
    Tracing route to 10.11.222.141 over a maximum of 30

    1 <1 ms <1 ms <1 ms 192.168.169.1
    2 41 ms 46 ms 41 ms 192.168.188.1
    3 * * * Request timed out.
    4 * * * Request timed out.
    5 * * * Request timed out.

    means it reach the tunnel ip at server side then drops....any thoughts highly appreciated ...


  • LAYER 8 Rebel Alliance

    Show screenshots of your server and client side OpenVPN settings and firewall rules.

    -Rico



  • Thank you for the reply, Please find screenshots as follows:

    server:

    0_1549795053044_srvr-vpn1.png
    0_1549795063070_srvr-vpn2.png 0_1549795072537_srvr-fw1.png
    0_1549795078395_srvr-fw2.png

    Client:

    0_1549795084225_client-vpn1.png
    0_1549795100931_client-vpn2.png
    0_1549795111272_client-fw1.png


  • LAYER 8 Rebel Alliance

    Why is your Client side remote network set to 10.0.0.0/8 and not 10.11.0.0/16 ?

    -Rico



  • first it was10.11.0.0/16, I was trying any luck with /8 subnet :)


  • LAYER 8 Rebel Alliance

    Well with Remote Networks not matching properly I would expect it not working, so put your main office network 10.11.0.0/16 there.
    Can you ping main office network clients from the remote side pfSense directly?

    -Rico