Site-to-Site OpenVPN, connects but client site loses Internet

greeners

I have a site-to-site OpenVPN connection between two pfSesne 2.4.4p3 machines. Both work independently fine and have been in use for months. I followed the site-to-site (shared key) example in the pfsense book, section 20.6.

When site B (client) connects to site A (server), site B loses its internet connections.

Server-side:
WAN IP - Dynamic, set by Dynamic DNS service to site-a-hostname.noip.com
LAN network - 192.168.8.0/24
Open VPN Server
Server Mode - Peer to Peer (Shared Key)
Shared Key - generated and copied to client-side
Tunnel network - 10.8.0.0/30
Remote network - 192.168.1.0/24

firewall alias - Site-B = site-b-hostname.noip.com
firewall WAN rule - UDP from Site-B to WAN address on 1194 (OpenVPN)
firewall OpenVPN rule - Any from anywhere to anywhere on any port

Client-side:
WAN IP - dynamic, set by Dynamic DNS service to site-b-hostname.noip.com
LAN network - 192.168.1.0/24
OpenVPN Client
Server mode - Peer to Peer (Shared Key)
Protocol - UDP on IPv4 only
Interface - WAN
Server Port - 1194
Shared key - copied from Site A
IPv4 Tunnel Network - 10.8.0.0/30
IPv4 Remote Network - 192.168.8.0/24

firewall OpenVPN rule - Any from anywhere to anywhere on any port

The connection works, and stays up. I can ping hosts at either end ok. However, Site-B cannot get to the internet.

Any ideas? I have looked at the troubleshooting OpenVPN section, which says check the openvpn logs, but I don't know what I am looking for. I set the logging level to 6, which generates too much. Any guidance on logging level useful to figuring out how to proceed?

Best regards,

KOM

@greeners What is Site B's default gateway? System - Routing - Gateways.

greeners

Two gateways set; regular WAN (public IP redacted), and the Site-A tunnel endpoint. Default gateway - Automatic ?

KOM

Automatic is the default, and it's showing your WAN as default so that's good.

Is it possible there's netmask mismatch somewhere? What are your outbound NAT rules for Site B? Please put them in manual mode and then take a screenshot.

greeners

@KOM thanks for trying to help. Below is a screengrab of the manual outbound NAT mappings. The bottom two are for the 10.8.0.0 tunnel network. The 192.168.2.0/24 mappings are for remote user VPN. 10.10.10.1/32 is pfBlocker DNSBL.

BogusException

@greeners is there a chance you have the option to route all traffic through VPN set on client?

greeners

@BogusException said in Site-to-Site OpenVPN, connects but client site loses Internet:

route all traffic through VPN

I did not specifically add an option to route everything through the VPN. I note the client config does have a 'Don't add/remove routes' option - which I have not set.

pfSense documentation VPN section doesn't mention it, and 'The pfSense Book' doesn't mention this option either.

greeners

I have fixed my site-to-site config. Unfortunately this was done by deleting the client and server config and recreating them. It now connects but Site B keeps its internet. Backup taken (just in case) and adding desireable tweaks, like adding an interface so the traffic graph is drawn on the homepage. If it breaks again I will restore the backup.

If I figure out a change that stops internet access for Site-B again, I will post here.

Thanks to both who tried to help. Much appreciated.