OPENVPN is connected but i cant access anything on the clients subnet
-
Hi, i followed this to the letter. https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
the vpn is connected, it shows on both sides of the connection.
however, when i try to connect to anything on the remote subnet, it gives a timeout error and it will not connect, how do i see any logs or why this is happening? -
@ariban99 said in OPENVPN is connected but i cant access anything on the clients subnet:
Hi, i followed this to the letter. https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
So we can presume, the the site-2-site is set up properly and the problem is on the destination device. Maybe it's firewall is blocking the access, which is it's default behavior.
Are both VPN endpoints the default gateways in their respective local network?
however, when i try to connect to anything on the remote subnet, it gives a timeout error and it will not connect, how do i see any logs or why this is happening?
On pfSense at the destination site go to Diagnostic > Packet Capture and sniff the traffic on the LAN interface or whichever the destination device is connected to. Set the filter to ICMP or whatever you try to use to access and destination IP and start the capture.
Then try to access it from the remote site.If you don't see any packet switch to the VPN interface and try again.
If you only see request packets, but no responses from the destination, the above might be the case. -
@viragomann
Hi
yes, the connection is there. and yes, the gateway for both is there own (one is 192.168.1.1 and one is 192.168.10.1) see these screenshots.
as for the packet capture, i think i did it correct. see this log
22:46:17.297733 IP 74.125.247.128.3478 > 192.168.10.51.53593: UDP, length 105
22:46:17.297989 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 592
22:46:17.298028 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 113
22:46:17.304317 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 1460
22:46:17.304343 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 1460
22:46:17.304354 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 1460
22:46:17.304364 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 1460
22:46:17.304373 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 1460
22:46:17.304382 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 1460
22:46:17.304392 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 1460
22:46:17.304400 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 1460
22:46:17.304429 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 408
22:46:17.305097 IP 192.168.10.51.51689 > 192.168.10.1.443: tcp 0
22:46:17.307128 IP 192.168.10.51.51689 > 192.168.10.1.443: tcp 35
22:46:17.307174 IP 192.168.10.1.443 > 192.168.10.51.51689: tcp 0
22:46:17.314090 IP 74.125.247.128.3478 > 192.168.10.51.53593: UDP, length 89
22:46:17.314968 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 61
22:46:17.330917 IP 74.125.247.128.3478 > 192.168.10.51.53593: UDP, length 105
22:46:17.338072 IP 74.125.247.128.3478 > 192.168.10.51.53593: UDP, length 42
22:46:17.339118 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 591
22:46:17.339131 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 129
22:46:17.347328 IP 74.125.247.128.3478 > 192.168.10.51.53593: UDP, length 89
22:46:17.364402 IP 74.125.247.128.3478 > 192.168.10.51.53593: UDP, length 89
22:46:17.365020 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 61
22:46:17.368832 IP 74.125.247.128.3478 > 192.168.10.51.53593: UDP, length 94
22:46:17.378075 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 1221
22:46:17.378088 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 1221
22:46:17.378214 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 1221
22:46:17.378225 IP 192.168.10.51.53593 > 74.125.247.128.3478: UDP, length 693 -
@ariban99 If it's just a site to site, change the tunnel address to a /30 or /31
-
@viragomann i see my mistake. the tunnel was /24 when i change it to /30 it works!
-
@ariban99
You were missing the clients tunnel IP in the CSO.Note that a tunnel network of /30 or less is not compatible with DCO (only supported on Plus at this time, but I cannot see, which version you're using).