Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense boxes unable to reach each other over openvpn tunnel

    Scheduled Pinned Locked Moved OpenVPN
    25 Posts 5 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jt
      last edited by

      2 pfsense boxes connected over openvpn. local networks behing the routers are all fine connecting to the resources on the opposite side. however, the routers themselves can't reach each other.
      anyone has an idea what the problem might be, please..?

      viktor_gV 1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Define 'see'. They can't ping each other? By default, WAN is set to block private networks/bogons and has no other rules (other than your OpenVPN rule) so it doesn't reply to unsolicited inbound traffic.

        1 Reply Last reply Reply Quote 0
        • viktor_gV
          viktor_g Netgate @jt
          last edited by

          @jt
          looks like firewall rules issue
          can you explain how they must reach each other? protocol?

          1 Reply Last reply Reply Quote 0
          • J
            jt
            last edited by jt

            sorry, i'll be more specific. i need them to be ale to reach each other's DNS resolver. i am checking by ping, assuming the traffic would go over the openvpn tunnel, which is not firewalled (all in/out traffic allowed, at least as far as I understand how pfsense's fw works).

            @KOM i though WAN rules doesn't matter, as all the traffic goes over the tunnel..?

            viktor_gV KOMK 2 Replies Last reply Reply Quote 0
            • viktor_gV
              viktor_g Netgate @jt
              last edited by

              @jt check:
              Firewall \ Rules \ OpenVPN
              Services \ DNS Resolver

              J 1 Reply Last reply Reply Quote 0
              • J
                jt @viktor_g
                last edited by

                @viktor_g said in pfsense boxes unable to reach each other over openvpn tunnel:

                @jt check:
                Firewall \ Rules \ OpenVPN

                all open

                Services \ DNS Resolver

                what about it? it listens on All interfaces, if that's what you had in mind..?

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM @jt
                  last edited by

                  @jt Traffic from your LAN might be routed over the tunnel, but that doesn't mean all of pfSense internal traffic also goes that way. Localhost is still routed out WAN by default.

                  What is the actual problem you are trying to solve? Being able to reach each others DNS Resolver is pointless unless you have them running in forwarding mode.

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    jt @KOM
                    last edited by

                    @KOM said in pfsense boxes unable to reach each other over openvpn tunnel:

                    @jt Traffic from your LAN might be routed over the tunnel, but that doesn't mean all of pfSense internal traffic also goes that way. Localhost is still routed out WAN by default.

                    What is the actual problem you are trying to solve? Being able to reach each others DNS Resolver is pointless unless you have them running in forwarding mode.

                    they're supposed to be conditional forwarders. I have setup domain overrides which works OK with another site connected over IPsec. there was a similar problem, resolved by https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html but I didn't find anything similar for OpenVPN, so I assumed this type of VPN connection doesn't suffer such problem.

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by bmeeks

                      I don't profess to be an Unbound resolver expert (that would be user @johnpoz), but I seem to recall some posts elsewhere on the forum where Unbound has a default access control list that prohibits access to the resolver from an IP address that is not part of the local firewall's setup. That could be blocking the DNS lookups from clients on the "other" pfSense box. I think you can modify that characteristic using the Advanced Settings option.

                      1 Reply Last reply Reply Quote 1
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        Yup you hit the nail on the head @bmeeks, out of the box pfsense will auto create ACLs for the user for networks its connected to, but it doesn't do this for some remote network. You would need to open up your ACLs on unbound to allow the remote networks you want to be able to query unbound from.

                        I personally disable the creation of the auto ACLs - and just create my own.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • KOMK
                          KOM
                          last edited by

                          You could still use domain overrides, but you would need to allow each one to get to the other's DNS via WAN, or perhaps you could add an outbound NAT rule to redirect all DNS out the OpenVPN tunnel.

                          I'm not exactly sure as I haven't tried it before.

                          1 Reply Last reply Reply Quote 0
                          • J
                            jt
                            last edited by

                            this thread helped a lot, so now I can ping/nslookup from ovpn server side to ovpn client (no NAT needed, just a gateway + static route).
                            however, it doesn't work from the other direction. tried to configure the client the same way as the server, but it doesn't seem to be doing the same thing as on the server side (or I'm missing something..).

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              So you set these boxes up with a site to site?? You wouldn't be creating routes and gateways if you setup a s2s connection... So I am a bit confused on how you have this setup..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • J
                                jt
                                last edited by

                                yeah, sorry - S2S. so far it's been working fine with routes pulled. didn't create any GW's, just this one, as per the guide.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by johnpoz

                                  With a s2s setup... On your server side you would setup the remote networks that are on your client side, and on the client side you would setup the remote networks that are on the server side..

                                  That is all that is too it.. Which guide are you looking at? Are you doing a PKI (ssl one) or a static key one?

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    jt
                                    last edited by

                                    i am doing static key.
                                    as for your advice, that's exactly how I got it set up, and it works fine for all the clients on each network - they can communicate all fine.
                                    my issue is with the firewall boxes themselves - they can't reach each other. currently (after creating a GW from the OVPN iface and assigned a static route to the other site's network) it works from ovpn tunnel's server side. the client is the last remaining piece that needs to be somehow forced to route all traffic originating from the box, destined to the other firewall, through the tunnel.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz

                                      @jt said in pfsense boxes unable to reach each other over openvpn tunnel:

                                      they can't reach each other.

                                      Well clearly that is not true - since if they could not talk to each other the vpn wouldn't be up.. Please be clear on what your trying to do exactly that is not working.

                                      Your trying to ping the pfsense lan IP from the client site, your trying to ping the client side lan IP from the server side pfsense box? Your trying to do a dns query? What exactly?

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        jt
                                        last edited by

                                        they CAN reach each other's WAN address.
                                        they CAN'T reach each other's LAN address. purpose is, I believe irrelevant, but the intention is to point the firewalls to each other for conditional DNS resolution, so the clients behind firewall1 can resolve hosts behind the firewall2, and vice versa.

                                        i'm checking the connectivity by SSHing to firewall1 and pinging the firewall2's LAN address. this currently (after adding the GW and static route) works from ovpn server side, but not from opvn client side.

                                        thx for your help, guys.

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          What exactly do you want the other unbound to resolve for the other side, are you using different domains?

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            jt
                                            last edited by jt

                                            yes, different domains. i wanna be able to resolve host2.site2.domain.com from host1.site1.domain.com (site1.domain.com and site2.domain.com obviously being the domains at the two sites connected via ovpn tunnel).

                                            edit for some more context: these are two different organizations, somewhat cooperating with each other, managed by a single IT team. therefore, it makes sense to us to have both sites reachable from each other, while not merging their domains.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.