Openvpn TLS Site to Site one way ping
-
@xman111
you need a route to the end network on both sides -
hey guys, thanks for the replies..
here is some more detail..
Site A (server)
pfsense 23.05.1
local network : 192.168.10.0/24
road warrior: 192.168.80.0/24site to site: 192.168.90.0/24
Site B (Client)
pfsense 2.6.0
local network : 192.168.1.0/24
road warrior: 192.168.100.0/24i can ping from computer to computer on each side. the problem seems to be when i VPN into site B, i cannot get to site A. Here are a couple pics..
Server A routes:
Server B routes:
and something weird i noticed in the firewall logs while i was connected to my phone to Site B and pinging Site A:
-
@xman111
So I assume, that you have created a SCO on the server for the site to site client?
However, there's a route to the site B road warrior missing on the server. You have to add the tunnel network to the "Remote Networks" in the CSO and a second time to the "Remote Networks" in the server settings.Also you need to add the site B LAN network to the "Local Networks" on road warrior server a A, if you didn't this already.
and something weird i noticed in the firewall logs while i was connected to my phone to Site B and pinging Site A:
This seems to be an out-of-state packet. Obviously you accessed the webGUI at A before. Maybe the connection simply timed out.
-
thanks man, will check and post a few more screen shots, really appreciate this, been working on it for the last few weeks.
-
@viragomann said in Openvpn TLS Site to Site one way ping:
You have to add the tunnel network to the "Remote Networks" in the CSO
Bingo, that was it. I didn't see that anywhere in the docs, when i was creating the VPN. Soon as i put that in and restarted the peer-peer network, all was fixed. Thanks so much for that.
You helped me on another post about blocking ads on the road warrior setup with PFBlockerng. you said "It depends on your VPN how to configure this. In case of OpenVPN check "redirect gateway" in the server settings."
Would this break anything you just fixed? my wife likes to connect to our VPN so she can look at the security cameras and likes not having ads on her phone like when she is connecting to our wifi. When you say redirect gateway is that just in the Openvpn Road warrior Server?
-
@xman111
"Redirect gateway" just directs the whole upstream (internet) traffic from the client over the VPN. So you can filter the traffic on the firewall.This doesn't interfere with the route to the site-to-site remote site in any way.
Just the traffic destined to the remote site is routed additionally over the s2s.
Entering the road warrior tunnel network into the VPN settings on the remote site is just necessary to add a route back for the road warrior clients. -
and this is done on the road warrior server on pfsense, nothing on the android client has to change or be exported again? you are a real asset to this community, i was ready to just give up.
-
@xman111
No, the access server pushes all needed routes to the client, when establishing the connection.
If you enter certain subnets in the "Local network" the server pushes these to be routed over the VPN, if you check "redirect gateway" the server pushes the default route to the client. -
thanks, will give that a shot.. you're the man!
-
worked perfectly, thanks so much..
just noticed a warning about link-mtu is used inconsistently, local=link-mtu1537, remote=link-mtu1534. Just searching it up now..
thanks again for sorting this!