OpenVPN Server/Client Setup - Clients on both sides can't reach each other.
TPCoMatt last edited by
I've seen this issue before, but the fix there didn't apply to me (https://forum.netgate.com/topic/140819/aws-pfsense-openvpn-no-access-to-private-subnet)
My setup is:
10.0.5.145(with a public IP attached as well)
dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.0.5.145 ifconfig 172.26.44.1 172.26.44.2 lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 20 route 10.50.2.0 255.255.255.0 secret /var/etc/openvpn/server1.secret
10.50.1.101/24(it has to be double-NAT'd due to the hardware available)
dev ovpnc2 verb 1 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_client2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.50.1.101 lport 0 management /var/etc/openvpn/client2.sock unix remote REDACTED 1194 ifconfig 172.26.44.2 172.26.44.1 route 10.0.4.0 255.255.252.0 secret /var/etc/openvpn/client2.secret resolv-retry infinite
I am able to establish the tunnel, and from a laptop on the client-side (
10.50.2.100), I can ping the client LAN IP (
10.50.2.1) as well and the server's 'local' IP (
10.0.5.145). The client-side laptop has a GW of the SG-1100, and when I do a
route printit shows
10.50.2.1, but nothing specific to the AWS IP ranges (
10.0.4.0/22). I can not connect to anything in the AWS ranges, even the instances that are explicitly set to 'allow all ports from all sources' in their SG.
From the SG-1100 WebGUI, I can ping/trace/telnet onto any AWS instance/port, so long as I select the 'OpenVPN' interface when doing so. LAN and WAN interfaces fail.
From any instance in AWS, I am not able to connect to the LAN interface of the SG-1100 nor the client-side laptop at all, but am able to ping/trace/telnet from the WebGUI, so long as I select the 'OpenVPN' interface when doing so.
The firewall rules in both the AWS VM and the SG-1100 are 'allow all' across the board (in the 'OpenVPN' rules), and the routes in both places show the opposite network as going through the tunnel IP range (
I'm somewhat at a loss here, and am hoping that someone can assist / guide me in the right direction. If I've left off any critical details needed, please let me know.
Thank you so much for any assistance!