Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Server-Client access problems

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 1.2k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      h5kd3
      last edited by

      I'm trying to configure OpenVPN Server-Client (PfSense to PfSense) connection, to have bidirectional access.

      The Client->Server traffic is working when NAT is enabled, but Server->Client is not.
      I actually don't need NAT and could have both sides routed through, but somehow I cannot get the configuration working.

      What I have tried:
      On vpn server side both configurations with server mode: peer-to-peer and remote access.
      With peer-to-peer mode I see the routing pointing to ovpns1 on both sides. The access-lists are permiting any for LAN and VPN tabs(test setup).
      I have tried setting the ACL gateway option to help with directing traffic. The end result is the same. Client-server working, Server-Client not working.

      Last thing I tried was setting the server mode to Remote-access, but then the routing table on server side does not have a entry for remote side.

      From states table I see that traffic is hitting the VPN interface, but other side is not recieving it.

      The reason I need OpenVPN client-server model, is that my other PFSense is behind 4G connection, that public IP address I could use to do portforwarding. So I have to call out to the server, that is reachable.

      What VPN server mode would allow me to have bidirectional routed traffic over VPN between both sites?

      1 Reply Last reply Reply Quote 0
      • RicoR Offline
        Rico LAYER 8 Rebel Alliance
        last edited by Rico

        You need to pick Peer to Peer (SSL/TLS) or Peer to Peer (Shared Key), Remote Access is the wrong mode.

        -Rico

        1 Reply Last reply Reply Quote 0
        • H Offline
          h5kd3
          last edited by

          Ok. So I configured it as peer-to-peer. The tunnel is up and local/remote networks are placed in the routing table.

          PfSense config
          Server
          Mode peer-to-peer)
          Device mode: tun-L3
          Tunnel network 10.10.99.0/24
          Local network 192.168.1.0/24
          Remote network 192.168.2.0/24

          Interface assignment
          Ovpns1 - VPN

          Firewall
          LAN - Permit IPv4 any any
          VPN - Permit IPv4 any any

          Client
          Tunnel network 10.10.99.0/24
          Remote network 192.168.1.0/24

          Interface assignment
          Ovpns1 - VPN

          Firewall
          LAN - Permit IPv4 any any
          VPN - Permit IPv4 any any

          Tunnel gets built and tunnel interface IP-s are reachable from both sides (Server 10.10.99.1 & Client 10.10.99.2)

          Routing table has entries
          Server side:
          10.10.99.0/24 GW 10.10.99.2 netif ovpns1
          192.168.2.0/24 GW 10.10.99.2 netif ovpns1

          Client side:
          10.10.99.0/24 GW 10.10.99.1 netif ovpns1
          192.168.1.0/24 GW 10.10.99.1 netif ovpns1

          Configuration1 (No Nat entries)

          Testing icmp
          Server
          Ping 192.168.2.1 - no response
          State table:
          Int Proto Source(Original Source) -> Dest (original dest)
          VPN icmp 192.168.1.1:yyyy-> 192.168.2.1:zzzz

          Traffic is forwarded to VPN interface.
          Client side state table is empty

          Client
          Ping 192.168.1.1 - no response
          State table:
          Int Proto Source(Original Source) -> Dest (original dest)
          VPN icmp 192.168.2.1:yyyy-> 192.168.1.1:zzzz

          Traffic is forwarded to VPN interface.
          Client side state table empty.

          Problem:
          Without NAT, traffic is sent to VPN tunnel but other side does not receive it.

          Configuration2 (with Nat entries)
          Server NAT
          Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

          Int VPN src:192.168.1.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

          Client NAT

          Int VPN src:10.10.99.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

          Int VPN src:192.168.2.0/24 dst:any Nat addr VPN interface (both ports ISAKMP 500 & any)

          Testing icmp
          Server
          Ping 192.168.2.1 - no response
          State table:
          Int Proto Source(Original Source) -> Dest (original dest)
          VPN icmp 10.10.99.1:xxxx(192.168.1.1:yyyy)-> 192.168.2.1:zzzz

          So the Nat is working & traffic is forwarded to VPN interface.
          Client side state table is empty

          Client
          Ping 192.168.1.1 - 3 response (working)
          State table:
          Int Proto Source(Original Source) -> Dest (original dest)
          VPN icmp 10.10.99.2:xxxx(192.168.2.1:yyyy)-> 192.168.1.1:zzzz

          So the Nat is working & traffic is forwarded to VPN interface.
          Client side state table has the correct entry as well.

          Problem:
          Traffic is working only from client to server.
          Traffic is not working from server to client.

          1 Reply Last reply Reply Quote 0
          • RicoR Offline
            Rico LAYER 8 Rebel Alliance
            last edited by Rico

            Can you share your Server and Client OpenVPN Config via screenshot?

            -Rico

            1 Reply Last reply Reply Quote 0
            • H Offline
              h5kd3
              last edited by h5kd3

              Topology
              Topology

              VPN Server
              Client Server
              Client Server Config
              VPN Server Routes
              Server VPN Routes
              VPN Server Status
              Server VPN Status
              VPN Server FW LAN
              Server VPN FW LAN
              VPN Server FW VPN
              Server VPN FW VPN

              VPN Client
              Client VPN
              Client VPN Config
              VPN Client Routes
              Client VPN Routes
              VPN Client Status
              Client VPN Status
              VPN Client FW LAN
              Client VPN FW LAN
              VPN Client FW VPN
              Client VPN FW VPN

              Testing
              Testing ping(icmp) from Host1 to Host2 (no Nat rules, only routing)
              VPN Server States table
              Server VPN States

              VPN Client States table
              Server VPN States

              1 Reply Last reply Reply Quote 0
              • kiokomanK Offline
                kiokoman LAYER 8
                last edited by

                check the log for openvpn and see if there is any complain about "compression stub"
                i had trouble with "Disable Compression, retain compression packet framing" instead i'm using "omit preference (Use openvpn default)"

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 1
                • RicoR Offline
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  In SSL/TLS mode you need CSO (Client Specific Overrides) for proper routing.
                  Check https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html

                  -Rico

                  H 1 Reply Last reply Reply Quote 1
                  • H Offline
                    h5kd3 @Rico
                    last edited by

                    @Rico Thank you so much for that detail. I did the CSO configuration and now I can reach both sites. Basically all the tutorials on OpenVPN Server-client configuration do not mention it...probably assume, that you will be using NAT.

                    Thank you again!

                    1 Reply Last reply Reply Quote 1
                    • RicoR Offline
                      Rico LAYER 8 Rebel Alliance
                      last edited by

                      Glad you have it working now. 👍

                      -Rico

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.