Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot ping remote gateway from LAN side

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 967 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ccb056
      last edited by

      Attempting to setup pfsense as a OpenVPN client connected to OpenVPN server on dia.whatbox.ca

      https://whatbox.ca/wiki/OpenVPN

      see below for the contents of pfsense's /var/etc/openvpn/client2/config.ovpn

      dev ovpnc2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 47.210.156.168
tls-client
client
lport 0
management /var/etc/openvpn/client2/sock unix
remote dia.whatbox.ca 1194 udp4
auth-user-pass /var/etc/openvpn/client2/up
auth-retry nointeract
capath /var/etc/openvpn/client2/ca
tls-auth /var/etc/openvpn/client2/tls-auth 1
ncp-disable
cipher AES-256-CBC
allow-compression no
resolv-retry infinite
pull-filter ignore 'route '
pull-filter ignore redirect-gateway

      pfSense can connect, and ping 10.8.0.1, however, machines on the pfsense LAN side cannot ping 10.8.0.1

      09c0560a-1c71-4633-997c-a94b2206eaab-image.png

      871bdadb-76f8-4ead-88c2-fcd3106a24c4-image.png

      07efcbcf-2f4e-4156-96b2-83ba897d9fc8-image.png

      9e29dd11-6c12-4d21-ba99-025f5b1ca332-image.png

      db8652b5-bbe3-45f4-8cc8-9df43d3b1107-image.png

      3f027eda-5c36-4380-a6d8-f8021114e754-image.png

      Any ideas?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @ccb056
        last edited by

        @ccb056
        Presumably the other site has no route to your LAN network.

        C 1 Reply Last reply Reply Quote 0
        • C
          ccb056 @viragomann
          last edited by

          @viragomann

          How could I fix that, looks like the other site can at least ping me:

          ee4e7d46-1097-4be9-9856-b155adfb0718-image.png

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @ccb056
            last edited by

            @ccb056
            You need to add a route line for your LAN to the remote vpn config, e.g. if your LAN is 10.20.10.0/24

            route 10.20.10.0 255.255.255.0

            Also if you need to access another subnet behind the remote vpn endpoint you need to add it to the pfSense settings. This can be done by entering the network in the "Remote networks" box, e.g. 10.20.20.0/24.

            C 1 Reply Last reply Reply Quote 0
            • C
              ccb056 @viragomann
              last edited by

              @viragomann

              What if I can't change the config file on the server?

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @ccb056
                last edited by

                @ccb056
                Masquerading is another possible solution.

                To set it up, if you're running multiple OpenVPN instances assign an interface to the concerned one before going on.

                Then go to Firewall > NAT > Outbound.
                By default the outbound NAT works in automatic mode. If so switch to hybrid mode and hit save.

                Then add a new rule like this:
                interface: that one you've assigned to the vpn instance or OpenVPN if not
                source: your LAN network or any
                destination: any
                translation: interface address
                save settings

                Now LAN devices should be able to access the remote site.

                C 1 Reply Last reply Reply Quote 1
                • C
                  ccb056 @viragomann
                  last edited by ccb056

                  Perfect! That worked - thank you :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.