OpenVPN Site to Site VPN: No LAN to LAN Communication
I have two sites:
A) LAN: 18.104.22.168/24 (server)
B) LAN: 22.214.171.124/24 (client)
Tunnel Address: 192.168.50.0/24
At this moment, I have the site to site VPN up; however, two LANs can't communicate with each other.
Here is the odd part (...i think), both pfSense box itself can reach the LANs (example, box A can reach LAN of box B) only if I source the traffic from the new tunnel interface (OPT1 for example). If I source from LAN interface, no luck.
I verified that followings were taken care of:
- Firewall rules. Under LAN/OpenVPN/OPT1 all pretty much allow any any
- I tried Outbound NAT as some threads suggested, no luck.
- Routing seems to be okay:
Destination Gateway Flags Use Mtu Netif Expire
default 192.168.1.1 UGS 412450 1500 igb0
126.96.36.199/24 link#2 U 346097 1500 igb1
188.8.131.52 link#2 UHS 258 16384 lo0
184.108.40.206/24 192.168.50.1 UGS 790 1500 ovpnc1
127.0.0.1 link#4 UH 97 16384 lo0
192.168.1.0/24 link#1 U 134359 1500 igb0
192.168.1.68 link#1 UHS 0 16384 lo0
192.168.50.1 link#8 UH 251091 1500 ovpnc1
192.168.50.2 link#8 UHS 0 16384 lo0
- I even added static routes on both sides. Here is an example on client box:
220.127.116.11/24 OPT1_VPNV4 - 192.168.50.1 OPT1
What else am I missing? Let me know if you need more information.
Are you really using 18.104.22.168/24 and 22.214.171.124/24 or did you obfuscate the address space?
netblues last edited by
Apart from the invalid address space, openvpn has its own internal routing table too
You need to specify the networks behind the clients
something like that
@Rico Hi Rico,
I am actually using 126.96.36.199/24 and 188.8.131.52/24 on the LAN side. Lets just say this is the network I adopted. I have over 20 locations where I want to place Netgate firewall and doing proof of concept at this moment to see if its feasible.
Since I am using odd addressing space, is this the reason why my two LANs having issues?
@netblues Hi ,
Thanks for the feedback! I haven't tried that. I only have 184.108.40.206/24 & 220.127.116.11/24 as remote network.
I was able to resolve the issue by switching the network to private addresses (i.e. 18.104.22.168/24 -- > 10.12.12.0/24) and by adding static routes.
I am not sure why I wasn't able to route 22.214.171.124/24 even with static routes properly. Currently, its working flawlessly with Cisco ASAs and I am planning on migrating over 20 sites to Netgate.
Any suggestions? Is it even possible to route public networks via internal VPN cloud?
netblues last edited by
@Teh_Bot openvpn or any other vpn technology isn't automatically filtering on any ip's (with a very few exceptions, like localhost, sometimes apipa etc)
Still, you need to declare to vpns the ranges that will pass through.
See the openvpn wiki entry
putting nat rules in a vpn is not recommended, and it does make things difficult to comprehend.
I suspect there was some typo somewhere and was eliminated by renumbering.
If you needed static routes to make this work you did it wrong. You will experience occasional strange issues if you use static routes.
Let OpenVPN install the routes using the Remote Networks fields.
bingo600 last edited by
This post is deleted!