Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot ping remote gateway from LAN side

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 967 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ccb056
      last edited by

      Attempting to setup pfsense as a OpenVPN client connected to OpenVPN server on dia.whatbox.ca

      https://whatbox.ca/wiki/OpenVPN

      see below for the contents of pfsense's /var/etc/openvpn/client2/config.ovpn

      dev ovpnc2
      verb 1
      dev-type tun
      dev-node /dev/tun2
      writepid /var/run/openvpn_client2.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp4
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 47.210.156.168
      tls-client
      client
      lport 0
      management /var/etc/openvpn/client2/sock unix
      remote dia.whatbox.ca 1194 udp4
      auth-user-pass /var/etc/openvpn/client2/up
      auth-retry nointeract
      capath /var/etc/openvpn/client2/ca
      tls-auth /var/etc/openvpn/client2/tls-auth 1
      ncp-disable
      cipher AES-256-CBC
      allow-compression no
      resolv-retry infinite
      pull-filter ignore 'route '
      pull-filter ignore redirect-gateway
      

      pfSense can connect, and ping 10.8.0.1, however, machines on the pfsense LAN side cannot ping 10.8.0.1

      09c0560a-1c71-4633-997c-a94b2206eaab-image.png

      871bdadb-76f8-4ead-88c2-fcd3106a24c4-image.png

      07efcbcf-2f4e-4156-96b2-83ba897d9fc8-image.png

      9e29dd11-6c12-4d21-ba99-025f5b1ca332-image.png

      db8652b5-bbe3-45f4-8cc8-9df43d3b1107-image.png

      3f027eda-5c36-4380-a6d8-f8021114e754-image.png

      Any ideas?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @ccb056
        last edited by

        @ccb056
        Presumably the other site has no route to your LAN network.

        C 1 Reply Last reply Reply Quote 0
        • C
          ccb056 @viragomann
          last edited by

          @viragomann

          How could I fix that, looks like the other site can at least ping me:

          ee4e7d46-1097-4be9-9856-b155adfb0718-image.png

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @ccb056
            last edited by

            @ccb056
            You need to add a route line for your LAN to the remote vpn config, e.g. if your LAN is 10.20.10.0/24

            route 10.20.10.0 255.255.255.0
            

            Also if you need to access another subnet behind the remote vpn endpoint you need to add it to the pfSense settings. This can be done by entering the network in the "Remote networks" box, e.g. 10.20.20.0/24.

            C 1 Reply Last reply Reply Quote 0
            • C
              ccb056 @viragomann
              last edited by

              @viragomann

              What if I can't change the config file on the server?

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @ccb056
                last edited by

                @ccb056
                Masquerading is another possible solution.

                To set it up, if you're running multiple OpenVPN instances assign an interface to the concerned one before going on.

                Then go to Firewall > NAT > Outbound.
                By default the outbound NAT works in automatic mode. If so switch to hybrid mode and hit save.

                Then add a new rule like this:
                interface: that one you've assigned to the vpn instance or OpenVPN if not
                source: your LAN network or any
                destination: any
                translation: interface address
                save settings

                Now LAN devices should be able to access the remote site.

                C 1 Reply Last reply Reply Quote 1
                • C
                  ccb056 @viragomann
                  last edited by ccb056

                  Perfect! That worked - thank you :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.