OpenVPN (Site-to-Site) unable to ping/access from SiteA(Server) to SiteB(Client) LAN from Local Machine

PrashantRai

Site A (OpenVPN Server) :
WAN IP : 182.75.8X.17X/28
LAN IP : 10.10.1.X/8
Tunnel N/W : 192.168.70.0/24

Site B (OpenVPN Client) :
WAN IP : 106.51.22X.15X/19
LAN IP : 10.20.1.X/12
Tunnel N/W : 192.168.70.0/24

Hi I'm trying to setup site to site openvpn, I followed the official doc's and also YouTube tutorials, after which connection between both the pfSense is established, tunnel network gets pinged from both the sites and even pfsense to pfsense is pinging including local machines IP address.
But from Server side(SiteA) I'm not able to ping LAN address of Client Side(SiteB) from Local machine, but WAN address of both are reachable from local machines.

johnpoz

@PrashantRai said in OpenVPN (Site-to-Site) unable to ping/access from SiteA(Server) to SiteB(Client) LAN from Local Machine:

LAN IP : 10.10.1.X/8
LAN IP : 10.20.1.X/12

Those overlap - so not sure how you expect for client to go to the other network?

Why are the masks so large? Do you have somewhere close to 16 Million hosts on the site A, and 1 million on the other side ;)

If you had those as /24 then you wouldn't have any issues or really just networks that don't overlap!!

Client at site A lets say 10.10.1.100, says oh I need to talk to server over at site B at 10.20.1.42... Oh since that is in the 10.anything network must be local... So why would it send traffic to its gateway to get sent down the tunnel?

PrashantRai

@johnpoz , thank you for replying, so then should I use different IP's ?? Such as SiteA 10 series and SiteB as 172 series range IP's ?

johnpoz

Yeah that would be one solution... with 10.x.x.x and 172.16-31.x.x, or just set the network size, ie masks so they don't overlap..

Say 10.10.1/24 on one site and 10.20.1/24 on the other... How many devices/clients do you have in each site? Your network size should be appropriate... If you have 200 devices you don't need a /8 or /12 mask for example ;) A /23 would give you 510 addresses to work with - so plenty of room for growth, etc. if you currently have 200 for example..

10.10.0/23 = 10.10.0.1 to 10.10.1.254

10.10.2/23 = 10.10.2.1 to 10.10.3.254

etc. etc..

A /24 is very common since its very easy for human to see the network, first 3 octets... So 10.10.1.0/24 means that the 10.10.1 is the network, and that last octet 10.10.1.X is the HOST address so you have .1 to .254 to work with..

Your current networks are HUGE, over 16 million addresses in the /8 and over 1 million in the /12 - and the whole /12 is inside the /8...

PrashantRai

Thanks @johnpoz tomorrow morning I'll try with these IP's.

johnpoz

How many devices do you have at each site, is it a handful then /24... If its 200+ then you might think of /23 if you think in the next few years you might grow to be larger then what a /24 can handle, ie 254

PrashantRai

@johnpoz for now it's around 150 machines, which is expected to grow in future...

johnpoz

well /24 gives you 254 Ips to work with... So that quite a bit of growth ;)

PrashantRai

@johnpoz well yeah..

PrashantRai

@johnpoz thanks man it worked.
I was curious to know which all mask are overlapping, So I tested with some of the mask's, which are :

1. SiteA - 10.10.1.X/8
   SiteB - 10.20.1.X/8 , testing didn't work out.

2. SiteA - 10.10.1.X/8
   SiteB - 10.20.1.X/12 , testing didn't work out. It worked in only one direction

3. SiteA - 10.10.1.X/12
   SiteB - 10.20.1.X/12 , testing worked. Both bi-direction ping/access is happening.

4. SiteA - 10.10.1.X/12
   SiteB - 10.20.1.X/14 , testing worked. Both bi-direction ping/access is happening.

Now if you don't mind can you please brief/explain why testing 1 and 2 failed, and also how to know if IP's are overlapping!!!!

Rico

http://jodies.de/ipcalc

-Rico

PrashantRai

@Rico thank you

JKnott

@PrashantRai said in OpenVPN (Site-to-Site) unable to ping/access from SiteA(Server) to SiteB(Client) LAN from Local Machine:

Now if you don't mind can you please brief/explain why testing 1 and 2 failed, and also how to know if IP's are overlapping!!!!

In both, you actually have 10.0.0.0 /8. The other address in both examples is within that range. The /8 indicates 8 of the 32 bits are used for the network portion of the address and the other bits are for the device address. So, start with any address you wish and count the bits from the left. All the bits to that point are the network address and the rest are irrelevant. So, write out those network addresses first with all 0 to the right and again with all 1. This will show you the range of addresses that network would have.

PrashantRai

@JKnott thank you

johnpoz

@PrashantRai said in OpenVPN (Site-to-Site) unable to ping/access from SiteA(Server) to SiteB(Client) LAN from Local Machine:

also how to know if IP's are overlapping!!!!

You don't understand network masks, ie subnetting - but your setting up the firewall and site to site vpn? How is this?

So you rust randomly picking a mask? Where did you come up with the /12? I can understand the /8 somewhat since this is whole network for 10..

I would highly suggest you do a bit of research.
https://www.ittsystems.com/introduction-to-subnetting/

Came up on google like first hit, looks basic enough to get you started.