<![CDATA[Can't Get The Gateway up for a Site-To-Site OpenVPN Connection.]]>Hi,

Perhaps someone can spot my error, I've removed my RAS and Client from two pfSense connections and am trying to replace the connection with a Site-to-Site connection, using the same subnets. My target looks like this:

Site2Site.drawio.png

My goal is to connect the two sites over the two vlans. My CA structure is in place and working.

I’ve basically followed the pfsense setup for 2 sites

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

I’ve setup my CA and certs, I believe it works as it should.

My vpn server setup looks like this:

001.png

My Create Client-Specific Overrides look like this:

002.png

My WAN rule looks like this:

003.png

I’ve created an interface:

004.png

My firewall rules for the interface look like this, in the alias all subnets I use are included:

005.png

My outbound NAT rule:

007.png

At this stage on the Server side I believe that gateway should be up, before even looking at the client but still not up.

Can’t quite tell if the route is setup correctly:
006.png

I have setup the client side also and it appears that there is a connection of sorts:

008.png

Any clues on what I’ve messed up I just can’t see it …

]]>https://forum.netgate.com/topic/173032/can-t-get-the-gateway-up-for-a-site-to-site-openvpn-connectionRSS for NodeTue, 19 May 2026 12:22:54 GMTMon, 27 Jun 2022 10:19:40 GMT60<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 12:48:59 GMT]]>@viragomann actually I use an alias with my various subnets, including the tunnel subnets, so I believe it is covered. I also use an interface for my OpenVPN servers and don't use the "general" OpenVPN tab as such. That way I have some idea what is going on by doing things manually.

I need to do a bit more digging into this.

]]>https://forum.netgate.com/post/1048305https://forum.netgate.com/post/1048305Mon, 27 Jun 2022 12:48:59 GMT<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 12:39:31 GMT]]>@neogrid
Checked you screens again. The only one failure I can find is the source network in the firewall rule on PEMSITE_A. The pass rules only allows access for the tunnel network, but not the clients LAN.

However, this is also applied now when using a /30 tunnel.
But maybe there are rules on the OpenVPN tab allowing access to any source.

Remember that the OpenVPN tab is an interface group which includes all OpenVPN instances you're running on this node. Rule on interface groups have priority over ones on the interface tab. So if there is a rule for allowing any to any (default after running the OpenVPN server setup wizard), rules on the interface tabs are ignored.

]]>https://forum.netgate.com/post/1048301https://forum.netgate.com/post/1048301Mon, 27 Jun 2022 12:39:31 GMT<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 12:24:43 GMT]]>@viragomann ok thanks very much for the help. I must have made a config error, though I'm sure I triple checked everything. I'll look into the CSO a bit more. Thanks for helping out.

]]>https://forum.netgate.com/post/1048295https://forum.netgate.com/post/1048295Mon, 27 Jun 2022 12:24:43 GMT<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 12:18:47 GMT]]>@neogrid
As mentioned, when you use a larger tunnel network, you need a CSO and the configuration gets more complicated.

The CSO is especially needed at server site to route the clients site LAN properly.
If that doesn't work check in the OpenVPN log if the CSO is applied. There are often issues due to wrong common names stated in the CSO or whatever.

]]>https://forum.netgate.com/post/1048292https://forum.netgate.com/post/1048292Mon, 27 Jun 2022 12:18:47 GMT<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 11:48:42 GMT]]>@viragomann What witchcraft is this ??

Clearly I don't understand something, though I know not what.

Why when I change my tunnel IP from 192.168.140.0/24 to 10.128.240.0/30 (disabling the CSO) does it now work ?

I thought the main principle was that there should be no overlapping IP ranges (I had tried a different /24 subnet I had never used and it did not work either).

]]>https://forum.netgate.com/post/1048284https://forum.netgate.com/post/1048284Mon, 27 Jun 2022 11:48:42 GMT<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 10:56:20 GMT]]>@neogrid
So instead of CSO enter the server sides LAN into the "Remote Networks" box in the client settings.

]]>https://forum.netgate.com/post/1048271https://forum.netgate.com/post/1048271Mon, 27 Jun 2022 10:56:20 GMT<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 10:51:01 GMT]]>@viragomann It's a single pfSense box. Let me try it.

]]>https://forum.netgate.com/post/1048270https://forum.netgate.com/post/1048270Mon, 27 Jun 2022 10:51:01 GMT<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 10:48:23 GMT]]>@neogrid
The question is how many OpenVPN clients are connecting to the server. The devices behind the client don't matter at all.

If you have only one OpenVPN client use a /30 tunnel and remove the CSO.
If you have multiple clients you need a CSO for each.

]]>https://forum.netgate.com/post/1048268https://forum.netgate.com/post/1048268Mon, 27 Jun 2022 10:48:23 GMT<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 10:44:46 GMT]]>@viragomann hi

On the client side there will be multiple machines but I won't run out IP addresses.

However, I thought this configuration / approach should work.

Is the error the CSO ? It looked ok to me.

]]>https://forum.netgate.com/post/1048267https://forum.netgate.com/post/1048267Mon, 27 Jun 2022 10:44:46 GMT<![CDATA[Reply to Can't Get The Gateway up for a Site-To-Site OpenVPN Connection. on Mon, 27 Jun 2022 10:34:41 GMT]]>@neogrid
Is there only a single client connecting to the server or multiple?
If it's only one you should rather use a /30 tunnel network for a site-to-site VPN. So there is no need to configure a CSO.

]]>https://forum.netgate.com/post/1048265https://forum.netgate.com/post/1048265Mon, 27 Jun 2022 10:34:41 GMT