OpenVPN site-to-site tunnel connected but can't access local network



  • Hi everyone,

    I have a pfSense (2.4.4) OPENVPN site-to-site (shared key) setup. The VPN tunnel is up and from each of the pfSense boxes I can ping the remote subnets. When I want to ping or access the remote subnet from a client-PC I get a timeout.

    • Tunnel IP is 10.0.9.0/24 (I also tried 30) on server and client side

    • Serverside subnet is 192.168.250.0/24

    • Clientside subnet is 172.16.0.0/21

    • Remote subnets are configured in OPENVPN configuration

    • OPENVPN firewall rules any-any are configured on both sides

    • OPENVPN Gateway on clientside is created en firewallrules any-any are set

    • Remote subnets are visible in routing tables

    • Local windows firewalls are disabled

    I tried using a outbound NAT rule -> No succes
    I tried adding static routes -> No succes

    Anybody got ideas on what I'm doing wrong?

    Thx!



  • Your settings seem okay to me. I just started using OpenVPN though. I'm assuming you went through these links:
    https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html
    https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html

    Have you tried using Packet Captures on each side to look for ICMP traffic? You might need to post some sanitized configs for more help.



  • Hi Guys,

    I figured something out. There is also a IPSec tunnel on our pfSense for other purposes. When I stop the IPSec service traffic is passing fine in the OPENVPN connection.
    Any idea how I can use a combination (IPSec must stay but in combination with some extra OPENVPN tunnels)?
    I also tried extra IPSec tunnels but same problem (IPSec tunnel Phase 1 & 2 are Up but no LAN traffic possible between my subnets).


  • LAYER 8 Moderator

    OpenVPN and IPSec have no problem whatsoever in co-existing and having tunnels defined. If stopping IPSEC makes your OVPN tunnel work, you have it wrong. Most commonly you are probably using the same subnets on OVPN as in IPSEC or try to route a network that is already defined in IPSEC. Without your config, that's all we can guess.



  • This post is deleted!

Log in to reply