Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Site-to-Site unable to reach server side from localhost

    OpenVPN
    2
    5
    337
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michaelschefczyk
      last edited by

      Dear All,

      Having set up an OpenVPN Site-to-Site connection between two sites along the documentation (https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html), I find everything to work as intended with one exception:

      The router on the client side is unable to reach the server side. Connections from the LAN to LAN work well in both directions. Just the router itself on the client side cannot reach the server side. Pinging from the router in the client side to the server side does work, when selecting LAN as the interface. When selecting localhost (= default), nothing works. Setting the firewall rule for OpenVPN fully permissive on both sides does not change this.

      The issue is that packages like HAProxy or ACME would benefit a lot from being able to acces the LAN on the server side. I did use such configurations for a long time. Due to troubles upgrading from 2.6.0, I did move to IPSec – which also brings this issue. Moving back to OpenVPN, I cannot resolve it either.

      Can someone please be so kind to point me in the right direction?

      Regards,

      Michael Schefczyk

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @michaelschefczyk
        last edited by

        @michaelschefczyk
        Add an outbound NAT rule to the VPN interface to translate any from 127.0.0.0/8 to the interface address.
        Ensure that your outbound NAT is in hybrid mode.

        BTW: there is also a workaround known for IPSec to achieve access from pfSense itself.

        M 1 Reply Last reply Reply Quote 1
        • M
          michaelschefczyk @viragomann
          last edited by

          @viragomann Thank you very much!! I had the rule already, but my outbound NAT was in manual mode for some reason. Switching it to hybrid did work in combination with the rule.

          Can you also point to the known IPSec workaround for localhost reaching out via site to site VPN? I would like to upgrade to 2.7.0 soon and as that seems to spell trouble to site to site VPN, having more options is better.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @michaelschefczyk
            last edited by

            @michaelschefczyk
            Best practice might be to use IPsec VTI, so you could apply the same method.

            For routed IPsec you will have to to the static route workaround as described here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

            M 1 Reply Last reply Reply Quote 1
            • M
              michaelschefczyk @viragomann
              last edited by michaelschefczyk

              @viragomann Again, thanks a lot! If those issues were at least mentioned in the documentation - which appears to be a cookbook - one would have to ask fewer questions.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.