Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site OpenVPN on 2.7.0 - Client LAN can reach server LAN but server LAN cannot reach client LAN

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    2
    301
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andox
      last edited by

      I believe I'm experiencing the same issue after upgrading my site-to-site OpenVPN setup (2.6.0 to 2.7.0). Since the upgrade, my pfsense server is unable to establish a connection with the pfsense client network. However, the pfsense client can successfully reach (ping) computers on the server network. I've checked the routes, and they appear to be correct.

      1 Reply Last reply Reply Quote 2
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I forked this off into a new thread so it would all be together since it's likely a different issue than the post it was on before.

        If you are still having this problem on 2.7.0, please read through the following:

        Most likely there is a configuration problem that has always been wrong but some change on the backend changed and now your previously "working" settings which happened to be incorrect in some way stopped working.

        A few common things we have seen are:

        • SSL/TLS setups where people had filled in a tunnel network on the client when they should not
        • SSL/TLS setups with a /24 tunnel network where the Client-Specific Overrides were not setup correctly breaking LAN-to-LAN routing
        • Static Key configurations using the wrong subnet size for the tunnel network (e.g. /24 when it should have been /30)
        • Not explicitly setting the same topology on both sides
        • Some other routing conflict preventing the correct entries from being in the tables
        • A configuration that worked by chance before that was never correct (e.g. routes in System > Routing instead of in OpenVPN natively)
        • Policy routing rules overriding the VPN and sending the client traffic in some unexpected path
        • Missing or incorrectly configured default gateway (e.g. set to auto when it should be set to a WAN or WAN failover group)

        Compare your setup against the reference here: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

        There are a lot of troubleshooting suggestions for that sort of stuff at https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

        But to boil that down a bit, you should check:

        • Look at the OS routing table on both sides, make sure there are entries for the default route and opposite side LAN(s) and that those routes are pointing to the correct OpenVPN interface(s).
        • When you ping from the firewall make sure to ping from both the OpenVPN interface itself (default source) and again using the LAN interface as a source. That tests routing between the LANs in both directions, not just to/from the OpenVPN interface directly, which is a much different test.
        • When pinging from a client on the LAN, look at its states under Diagnostics > States on both firewalls, there should be two entries on each, one as it enters the firewall and one as it exits the firewall. If something like outbound NAT is catching it, the NAT would show in these states. If the traffic is taking the wrong path, that would also show (e.g. it should go in LAN, out VPN, in VPN, out LAN).
        • If the packets are exiting a WAN unexpectedly it may be from those clients hitting a policy routing firewall rule, so you might need to add a rule above whatever rule it's hitting to pass VPN traffic without a gateway set.

        That should give you a better idea of what's going on and what needs fixed.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 2
        • First post
          Last post