Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Site-To-Site Connected but only works one way

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nemo6262
      last edited by

      I am currently having some trouble getting a full site-to-site VPN working using OpenVPN. I am running the most recent version of PFsense on both machines (Both are Netgate devices). Site A is the OpenVPN server and has a public IP while Site B is acting as the client. They are using a shared key currently. I have both sides setup with the OpenVPN allowing all traffic through the VPN. I can successfully ping and connect to all devices behind Site A's LAN from both LANs at Site A and Site B. However, I am unable to ping Site B's LAN from any of devices on Site A's LAN. I am able to ping Site B's default gateway address and access the webgui for Site B from Site A. Traceroute does not show either of the the firewalls when attempting to trace to a Site B address but works perfectly when tracing the other direction. Is there a configuration setting I am missing?

      TLDR: I can ping all of Site A from both sides of site-to-site VPN but can't seem to ping anything except gateway for Site B from Site A. Using Shared Key for OpenVPN Site-To-Site connection

      /------------Configuration---------------------/
      Both Firewalls:
      OpenVPN Tab
      Protocol: IPv4
      Source: *
      Port: *
      Destination: *
      Gateway: *

      OpenVPN Site A (Server):
      Server Mode: Shared Key
      Protocol: UDP4 on IPv4 only
      Device mode : tun
      IPv4 Tunnel: 172.16.0.0/24
      Ipv4 Remote Networks: 192.168.105.0/24

      OpenVPN Site B (Client):
      Server Mode: Shared Key
      Protocol: UDP4 on IPv4 only
      Device mode : tun
      IPv4 Tunnel: 172.16.0.0/24
      Ipv4 Remote Networks: 192.168.62.0/24

           WAN Static IP                           WAN with no static IP/Other LAN
          |                                             |
/----------------------/                     /-----------------------/
/      Site A          /-------OpenVPN ----- /        Site B         /
/    OpenVPN Server    /     172.16.0.0/24   /    OpenVPN Client     /
/   192.168.62.0/24    /                     /    192.168.105.0/24    /
/----------------------/                     /-----------------------/
          |                                             |
      Site A LAN                                   Site B LAN

      Ping/Traceroute results:
      Site A-> Site A - Good
      Site B -> Site A - Good
      Site B -> Site B - Good
      Site A -> Site B - Can ping 192.168.2.1 and access webgui, but not ping any other devices in Site B's LAN

      Site B -> Site A
      d9e59e8c-5dbd-47c0-9b79-1bb74572cade-image.png
      Site A-> Site B
      285d715f-c4f4-4d81-9331-2ecbc3d2454d-image.png
      Site A-> Site B gateway
      fd3ace8a-a846-493c-92fe-93f560432ece-image.png
      Ping Site A-> Site B Gateway
      7cb54f7e-0c16-49f8-bae2-7f16b4123040-image.png

      Any help would be appreciated. Thank you

      T 1 Reply Last reply Reply Quote 0
      • T
        ThatGuy @Nemo6262
        last edited by

        @nemo6262,

        Do you have any device like a printer you can try to ping via IP from Site A to Site B? If you only have Windows devices on the other end you are trying to ping the Windows Firewall sometimes blocks them because they are coming from a different subnet. I usually see this in Workgroup environments. You could try disabling the Firewall temporarily to test. This is why I suggest a printer. They usually don't block IPs from different subnets coming in.

        Also, on site B try putting in the following rule under the WAN interface. You may already have it in there.

        Action: Pass
        Interface: Wan
        Address Family: IPV4
        Protocol: UDP
        Source: any
        Destination: WAN address
        Destination Port Range: From: Whatever Port OpenVPN is using TO: Whatever Port OpenVPN is using

        Last thing to try is go to Interfaces-->Wan. Take the checkmarks out at the bottom for Block private networks and loopback addresses and Block bogon networks just to see what happens.

        ThatGuy

        N 1 Reply Last reply Reply Quote 1
        • N
          Nemo6262 @ThatGuy
          last edited by Nemo6262

          @thatguy Disabling the Windows firewall worked. That has been driving me crazy for a few months, thank you. You mentioned that you have seen Windows devices do this. Is there a setting or anything simple/special I need to do to avoid this problem with the default firewall still enabled?

          Edit: I forgot to mention that Windows Defender is already set to allow pings

          T 1 Reply Last reply Reply Quote 0
          • T
            ThatGuy @Nemo6262
            last edited by

            @nemo6262,

            I was looking for a client setup I have to tell you precisely what to do but I can't find one. This is probably because all of the clients I manage now are on Windows Domains and this is no longer an issue for me. But, I'll tell you where you need to go to setup the Windows Firewall Rule.

            1. Get to your Windows Defender Firewall. It's best to get to this through the Windows Control Panel.
            2. On the left click the link for Advanced Settings. From this screen you can create custom rules to allow for Inbound and Outbound Rules.
            3. If you right click on Inbound Rules or Outbound Rules you can click on New Rule... and a Wizard will come up to create a Rule. When you go through the wizard there will be a portion at the end where you can allow REMOTE subnets.

            Unfortunately you'll have to do this for every Windows 10 machine you want access to across the VPN.

            ThatGuy

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.