Cannot ping remote gateway from LAN side
-
Attempting to setup pfsense as a OpenVPN client connected to OpenVPN server on dia.whatbox.ca
https://whatbox.ca/wiki/OpenVPN
see below for the contents of pfsense's /var/etc/openvpn/client2/config.ovpn
dev ovpnc2 verb 1 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_client2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 47.210.156.168 tls-client client lport 0 management /var/etc/openvpn/client2/sock unix remote dia.whatbox.ca 1194 udp4 auth-user-pass /var/etc/openvpn/client2/up auth-retry nointeract capath /var/etc/openvpn/client2/ca tls-auth /var/etc/openvpn/client2/tls-auth 1 ncp-disable cipher AES-256-CBC allow-compression no resolv-retry infinite pull-filter ignore 'route ' pull-filter ignore redirect-gateway
pfSense can connect, and ping 10.8.0.1, however, machines on the pfsense LAN side cannot ping 10.8.0.1
Any ideas?
-
@ccb056
Presumably the other site has no route to your LAN network. -
How could I fix that, looks like the other site can at least ping me:
-
@ccb056
You need to add a route line for your LAN to the remote vpn config, e.g. if your LAN is 10.20.10.0/24route 10.20.10.0 255.255.255.0
Also if you need to access another subnet behind the remote vpn endpoint you need to add it to the pfSense settings. This can be done by entering the network in the "Remote networks" box, e.g. 10.20.20.0/24.
-
What if I can't change the config file on the server?
-
@ccb056
Masquerading is another possible solution.To set it up, if you're running multiple OpenVPN instances assign an interface to the concerned one before going on.
Then go to Firewall > NAT > Outbound.
By default the outbound NAT works in automatic mode. If so switch to hybrid mode and hit save.Then add a new rule like this:
interface: that one you've assigned to the vpn instance or OpenVPN if not
source: your LAN network or any
destination: any
translation: interface address
save settingsNow LAN devices should be able to access the remote site.
-
Perfect! That worked - thank you :)