Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sometimes not reaching enabled networks through OpenVPN.

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 871 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Urbaman75U
      Urbaman75
      last edited by

      Hi,

      I have a two-pfsense HA stack, with OpenVPN service enabled and (almost) functioning.

      I enabled some networks on the OpenVPN server (10.0.10.x, 10.0.50.x, 10.0.100.x), with the VPN network being 10.0.2.x

      Now, when I use the client to connect (and I do connect), sometimes I can only reach the pfsense machines on 10.0.10.x vlan (10.0.10.1, 10.0.10.2), and can't reach any other IP/machine on the enabled networks.

      How can I properly debug/fix it? Could it be a server/client version mismatch or something?

      Urbaman75U 1 Reply Last reply Reply Quote 0
      • Urbaman75U
        Urbaman75 @Urbaman75
        last edited by

        Hopefully solved, probably a BlockeNG bad setting, let's see.

        Urbaman75U 1 Reply Last reply Reply Quote 0
        • Urbaman75U
          Urbaman75 @Urbaman75
          last edited by

          Ok, problem persisting, I'll try to understand if the problem is on the client, on the server or elsewhere.

          Anyone having/had the problem has a hint?

          Urbaman75U 1 Reply Last reply Reply Quote 0
          • Urbaman75U
            Urbaman75 @Urbaman75
            last edited by

            Ok,

            Just reporting some more insight:
            When I first start the OpenVPN client on my laptop (windows), it properly works with all of the networks/vlans reachable.
            If I close the connection and then reopen it, the reachability is lost.

            While it's not working on the laptop, it's also not working on the smartphone as well, so it seems to be something with the server settings.

            Is there a way to easily post the settings here for someone to help me check them?

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @Urbaman75
              last edited by

              @urbaman75
              In your first post you said you can access the pfSense on server side by its local interface IPs, but you cannot access other devices at the remote site.
              So this let me assume, that the client is working properly.

              What does Status > OpenVPN show regarding this server in case of the failure?

              If you run a packet capture on the server on the local interface and on the OpenVPN interface, do you see the packets from the client? Do you see responses from local devices?

              Urbaman75U 1 Reply Last reply Reply Quote 0
              • Urbaman75U
                Urbaman75 @viragomann
                last edited by

                @viragomann thank you for your time.
                The server status is ok, and do not see any strange traffic drop firewall side (did not go down through the traffic sniffing yet).

                Meanwhile, I revised the server settings, enabling the push of dns servers (setting pfsense networks/vlans IPs as dns servers) to the clients, and forcing dns flush for windows.
                Now it seems to be much more stable in establishing (a) working route(s) on the client side, reaching everything it should reach on the remote site.
                Let's see if it's stable connecting from different clients.

                Thing is, having two pfsense machines in HA, those dns servers pushed are now pointing only to the first (master) machine's IPs, I need a way to set them dynamically using the slave machine's IPs. Probably pointing the second dns server to the slave machine could just solve this.

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @Urbaman75
                  last edited by

                  @urbaman75
                  So your issue was name resolution related?

                  You can provide any shared IP as DNS, either a CARP VIP or an IP alias, which is hooking up on a CARP VIP, or as well simply the OpenVPN server IP (the first one within the tunnel network).

                  Urbaman75U 1 Reply Last reply Reply Quote 0
                  • Urbaman75U
                    Urbaman75 @viragomann
                    last edited by

                    Actually do not know, still analyzing, that's the setting I changed and it seems to be stable now, cross-client (windows, linux, android, ...).
                    Also changed the DNS servers to both VPN network x.x.x.1 and vlans CARP IPs (the vlans reachable throguh VPN), to be HA proficient.

                    Do not know why I do need the DNS entries to reach other IPs in the remote networks (not hostnames, just IPs...).

                    Thank you very much!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.