Is Site-to-Site OpenVPN tunnel symmetric?
-
Hi Everyone,
I have two sites A and B.
On site A, I have
- pfSense (A_PFSENSE). The LAN interface is 192.168.1.254/24 (A_LAN).
- Remote Access OpenVPN Server (A_RA_OVPNS). The tunnel is 172.16.1.0/24 (A_RA_TUNNEL).
- Site to Site OpenVPN Server (A_S2S_OVPNS). The tunnel is 172.16.0.0/30 (S2S_TUNNEL).
On site B, I have
- pfSense (B_PFSENSE). The LAN interface is 192.168.2.254/24 (B_LAN).
- Remove Access OpenVPN Server (B_RA_OVPNS). The tunnel is 172.16.2.0/24 (B_RA_TUNNEL).
- Site to Site OpenVPN Client (B_S2S_OVPNC). Of course, the tunnel is 172.16.0.0/30 (S2S_TUNNEL).
I configured all the necessary local and remote networks on both sites.
If I connect to A_RA_OVPNS Server, then I can ping to both LAN interfaces of A_PFSENSE and B_PFSENSE. However, If I connect to B_RA_OVPNS Server, I can ping the B_LAN of B_PFSENSE but not the A_LAN of A_PFSENSE.
However, if I am at Site A or B, I could ping both LANs of the firewalls.
What I am missing? Is there something that I need to configure on site A or Site B?
Thank you very much.
--Sami
-
@sami-mkaddem said in Is Site-to-Site OpenVPN tunnel symmetric?:
If I connect to A_RA_OVPNS Server, then I can ping to both LAN interfaces of A_PFSENSE and B_PFSENSE. However, If I connect to B_RA_OVPNS Server, I can ping the B_LAN of B_PFSENSE but not the A_LAN of A_PFSENSE.
Assuming you're connecting to both from the same location, this should be a thing of routes or firewall rules.
In the rules you might already have allowed any to any on every involved interface, so also check the routes. If the B_RA_OVPNS doesn't push the default route (redirect gateway), ensure that the site A LAN is added to its "Local Networks" to push the route to the client.
If this is already done, check the routing table on the client device, if the routes are properly added. -
@viragomann I tried what you wrote but it didn't work. It could be that I missed something. Anyway, I'm going to create another site to site OpenVPN server on site B and make site A a client. Let's see what happens. Thank you for your help.
-
@viragomann I was able to solve the problem. I forgot to assign the P2P OpenVPN Server interface on the firewall of Site A. By the way, I didn't have to create firewall rules for both server and client interfaces. Thank you for the help.
-
@sami-mkaddem How do I mark this post as solved?