OpenVPN Server/Client Setup - Clients on both sides can't reach each other.



  • Hello,

    I've seen this issue before, but the fix there didn't apply to me (https://forum.netgate.com/topic/140819/aws-pfsense-openvpn-no-access-to-private-subnet)

    My setup is:
    AWS pfSense:
    WAN = 10.0.5.145 (with a public IP attached as well)
    Server Config

    dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.0.5.145
    ifconfig 172.26.44.1 172.26.44.2
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 20
    route 10.50.2.0 255.255.255.0
    secret /var/etc/openvpn/server1.secret 
    

    Netgate SG-1100:
    WAN: 10.50.1.101/24 (it has to be double-NAT'd due to the hardware available)
    LAN: 10.50.2.1/24
    Client Config

    dev ovpnc2
    verb 1
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.50.1.101
    lport 0
    management /var/etc/openvpn/client2.sock unix
    remote REDACTED 1194
    ifconfig 172.26.44.2 172.26.44.1
    route 10.0.4.0 255.255.252.0
    secret /var/etc/openvpn/client2.secret 
    resolv-retry infinite
    

    I am able to establish the tunnel, and from a laptop on the client-side (10.50.2.100), I can ping the client LAN IP (10.50.2.1) as well and the server's 'local' IP (10.0.5.145). The client-side laptop has a GW of the SG-1100, and when I do a route print it shows 0.0.0.0/0 pointing to 10.50.2.1, but nothing specific to the AWS IP ranges (10.0.4.0/22). I can not connect to anything in the AWS ranges, even the instances that are explicitly set to 'allow all ports from all sources' in their SG.

    From the SG-1100 WebGUI, I can ping/trace/telnet onto any AWS instance/port, so long as I select the 'OpenVPN' interface when doing so. LAN and WAN interfaces fail.

    From any instance in AWS, I am not able to connect to the LAN interface of the SG-1100 nor the client-side laptop at all, but am able to ping/trace/telnet from the WebGUI, so long as I select the 'OpenVPN' interface when doing so.

    The firewall rules in both the AWS VM and the SG-1100 are 'allow all' across the board (in the 'OpenVPN' rules), and the routes in both places show the opposite network as going through the tunnel IP range (172.26.44.0/24).

    I'm somewhat at a loss here, and am hoping that someone can assist / guide me in the right direction. If I've left off any critical details needed, please let me know.

    Thank you so much for any assistance!


Log in to reply