Can Ping But Cannot Access Via HTTP or HTTPS

trevordavis · Dec 11, 2019, 5:44 PM

Hello ... I have a site to site VPN stood up pfsense on both sides using OpenVPN. I can ping from one side to another, no problems what-so-ever, but when I try to reach the site which is hosted on that IP, no luck. I do a packet capture and all traffic seems to be flowing properly, but just times out.

marvosa · Dec 12, 2019, 5:03 AM

First, post the server1.conf and the client1.conf (both located here -> /var/etc/openvpn).

Next, can you ping host to host over the tunnel... or just PFsense to PFsense? Also, please clarify what is happening here:

when I try to reach the site which is hosted on that IP, no luck.

trevordavis · Dec 12, 2019, 1:00 PM

I’ll post config files when I arrive home. But in regards to clarifying my other statement.

I can ping from a client hanging off the pfsense across the vpn to another client hanging off the pfsense on the other end. But when I try to load the url from that IIS server it only loads the background color and no graphics.

That same url not traversing the VPN works perfectly.

trevordavis · Dec 12, 2019, 3:29 PM

@marvosa

here are the files ... also just to re-state my previous post ... I can ping from a client hanging off the pfsense across the vpn to another client hanging off the pfsense on the other end.

But when I try to load the url from that IIS server it only loads the background color and no graphics.

That same url not traversing the VPN works perfectly.

pfsense-openvpn-client_side.txt pfsense-openvpn-server_side.txt

marvosa · Dec 12, 2019, 9:40 PM

@trevordavis What is the LAN subnet at each end?

trevordavis · Dec 12, 2019, 9:43 PM

192.168.74/24 - server
10.74.2/24

marvosa · Dec 12, 2019, 10:35 PM

I see a couple of things, which may not be the main issue, but could certainly be contributing to it:

Both sides are double NAT'd. Not ideal, but also not a big deal in and of itself as long as there's awareness of it and you have access to the edge device if an issue presents itself
The server-side LAN is 192.168.74.0/24, but the client is routing 192.168.0.0/16 over the tunnel. This overlaps the server-side WAN subnet and is undoubtingly causing an issue of some kind since the server's WAN IP is 192.168.74.74. At a minimum, the client-side will need to modify the IPv4 Remote network(s) line to the correct server-side LAN subnet. Worst case, the server-side may need to assign a new LAN subnet if there's overlap somewhere and then adjust the config accordingly.
The client-side WAN IP is 10.74.1.74, but the server-side is routing 10.74.1.0/24 over the tunnel which is the client-side WAN subnet. Why are we routing the client-side's WAN subnet over the tunnel here? This should probably be removed.

Other things to look at:

Verify the IIS server is using PFsense as the default gateway
Verify the client-side's DNS is resolving the hostname to the correct IP