Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense as OpenVPN client cannot ping remote network hosts

    OpenVPN
    4
    10
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      speedycars
      last edited by speedycars

      Hi,
      I'm trying my best to open a good tunnel between pfSense and a TP-Link Archer A7 router over OpenVPN connection.
      As the TP-Link router cannot act as a OpenVPN client, only as a server, my only option is to make my pfSense (v.2.7.2) a OpenVPN client.
      Following the netgate docs and various other guides, I'm able to get the tunnel almost up and running:
      *TP-Link router can ping any host behind pfSense
      *pfSense itself can ping the TP-Link router and any host behind it only via OpenVPN interface (virtual/unassigned interface via Diagnostics>Ping>Source address: OpenVPN client)
      *pfSense cannot ping TP-Link router or hosts behind it via LAN interface
      *Android phone on pfSense LAN network or cell network connected to TP-Link router OpenVPN server (connected via its own OpenVPN client software, not using the pfSense OpenVPN tunnel) can ping TP-Link router and any hosts behind it <--- this is what I'm trying to accomplish for my pfSense LAN hosts
      *pfSense OpenVPN logs says:
      pfsense "ERROR: FreeBSD route add command failed: external program exited with error status: 1 "
      ...but when I check the routes via Diagnostics>Routes I can see the good routes to both remote network and to the tunnel network

      **Note that options "Don't pull routes" and "Don't add/remove routes" are not enabled in the OpenVPN client profile on pfSense.
      Remote network address is properly configured under "IPv4 Remote network(s)" option in the OpenVPN client profile on pfSense.
      LAN subnet and remote network subnet are not overlapping.
      There is an any-any pass rule on the OpenVPN interface in the firewall and LAN interface also has such rule to go all around.
      Restarted the OpenVPN client service after every single change.
      Pcaps show only my unsuccessful ICMP requests.
      Traceroute on pfSense doesn't show anything either - * * *.
      Restarted pfSense VM few times.

      Tried to assign interface for the pfSense OpenVPN client, enable it, assign static route to remote network, also added firewall pass any-any rule fort he new OpenVPN interface in addition - didn't work either.
      Right now those additional efforts are removed as they didn't work, relying purely on the built-in pfSense functionality to get the right routes and settings.

      Is this some kind of a defect or I'm really missing something?
      Let me know if you have questions or need additional information.

      Thank you for the help! :)

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @speedycars
        last edited by

        @speedycars said in pfSense as OpenVPN client cannot ping remote network hosts:

        *Android phone on pfSense LAN network or cell network connected to TP-Link router OpenVPN server (connected via its own OpenVPN client software, not using the pfSense OpenVPN tunnel) can ping TP-Link router and any hosts behind it <--- this is what I'm trying to accomplish for my pfSense LAN hosts

        pfSense is a router and you want to access devices behind it. So you have to tell the server, which subnets to route to pfSense to reach them.
        This is done by a client file in OpenVPN (Client specific override on pfSense). Did you configure this on the server?

        S 1 Reply Last reply Reply Quote 0
        • S
          speedycars @viragomann
          last edited by speedycars

          @viragomann, thanks for your help! My ultimate target is to have LAN hosts behind pfSense to be able to reach hosts behind remote TP-Link router over OpenVPN connection:
          LAN1 -> pfSense -------OpenVPN connection over Internet -------- TP-Link Router -> LAN2

          Same works with direct LAN host (using my Android phone specifically) to OpenVPN server connection:
          LAN1 host or host on an independent Internet network -------OpenVPN connection over Internet -------- TP-Link Router -> LAN2
          Connection here is good, so the TP-Link router OpenVPN server should have the ability to setup the correct gateway on its side for such connectivity (options and logs on the TP-Link router are really poor, not able to setup a static route to go over its OpenVPN interface).

          Going back to the ultimate target topic - what I suspect as most probable is a routing issue within pfSense between LAN network and OpenVPN client interface due to the "ERROR: FreeBSD route add command failed: external program exited with error status: 1 ", but I'm open to try things.

          johnpozJ V 2 Replies Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @speedycars
            last edited by

            @speedycars that is just a site 2 site connection.. Without some details of what you have actually setup, its impossible for anyone to help you figure out what your missing or did wrong.

            https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            S 1 Reply Last reply Reply Quote 0
            • V
              viragomann @speedycars
              last edited by

              @speedycars said in pfSense as OpenVPN client cannot ping remote network hosts:

              Same works with direct LAN host (using my Android phone specifically) to OpenVPN server connection:
              LAN1 host or host on an independent Internet network -------OpenVPN connection over Internet -------- TP-Link Router -> LAN2

              As mentioned above, routing networks behind the connected VPN client need to tell the server how to route these networks.

              My ultimate target is to have LAN hosts behind pfSense to be able to reach hosts behind remote TP-Link router over OpenVPN connection

              If you only need this one direction, you can circumvent the routing issue with an outbound NAT rule.
              Switch the outbound NAT into hybrid mode and add a rule on OpenVPN for the destination of the remote LAN.

              Going back to the ultimate target topic - what I suspect as most probable is a routing issue within pfSense between LAN network and OpenVPN client interface due to the "ERROR: FreeBSD route add command failed: external program exited with error status: 1 ", but I'm open to try things.

              Yes, there might be an issue. But you mentioned, that the routes are added properly on the client.
              You would have to provide some more information on this. Enhance the log level and post the log then after reconnecting.

              1 Reply Last reply Reply Quote 0
              • S
                speedycars @johnpoz
                last edited by speedycars

                @johnpoz, I understand.

                Hope this helps:
                interfaces.txt
                openvpnclientconfigpfsense.txt
                OpenVPN-Config exported from TP-Link ArcherA7.ovpn.txt
                pfsenseopenvpnlogs.txt

                routes.jpg

                pfsenseopenvpnconnectionstatus.jpg

                Ping via automatically selected interface on pfSense:
                PING 192.168.10.1 (192.168.10.1): 56 data bytes
                64 bytes from 192.168.10.1: icmp_seq=0 ttl=64 time=7.786 ms
                --- 192.168.10.1 ping statistics ---
                1 packets transmitted, 1 packets received, 0.0% packet loss
                round-trip min/avg/max/stddev = 7.786/7.786/7.786/0.000 ms

                Ping via OpenVPN client unassigned interface on pfSense:
                PING 192.168.10.1 (192.168.10.1) from 10.9.0.6: 56 data bytes
                64 bytes from 192.168.10.1: icmp_seq=0 ttl=64 time=9.130 ms
                --- 192.168.10.1 ping statistics ---
                1 packets transmitted, 1 packets received, 0.0% packet loss
                round-trip min/avg/max/stddev = 9.130/9.130/9.130/0.000 ms

                Ping via LAN interface on pfSense:
                PING 192.168.10.1 (192.168.10.1) from 192.168.0.2: 56 data bytes
                --- 192.168.10.1 ping statistics ---
                1 packets transmitted, 0 packets received, 100.0% packet loss

                1 Reply Last reply Reply Quote 0
                • S
                  speedycars
                  last edited by

                  This outbound NAT helped:
                  <nat>
                  <outbound>
                  <mode>hybrid</mode>
                  <rule>
                  <source>
                  <network>lan</network>
                  </source>
                  <sourceport></sourceport>
                  <descr></descr>
                  <target>wanip</target>
                  <target_subnet></target_subnet>
                  <interface>openvpn</interface>
                  <poolopts></poolopts>
                  <source_hash_key></source_hash_key>
                  <ipprotocol>inet</ipprotocol>
                  <destination>
                  <any></any>
                  </destination>

                  Now my LAN hosts behind pfSense can ping hosts behind the TP-Link router OpenVPN server.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @speedycars
                    last edited by

                    @speedycars not the way to do it correctly - but ok.. That is not a site to site setup.. Did you look at the doc I linked to.. You show 2 client connections what you posted from the 2 second look I took of what you posted.. I don't see any routes listed in your configs for the local networks.

                    And you posted your certs in that one config? I would remove that if was me.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      speedycars @johnpoz
                      last edited by speedycars

                      @johnpoz, certs in the openvpn client file are cut off in the middle, not worried about it, but thanks.

                      Doc you provided is about having 3 pfSense nodes in 3 locations - one acting as a OpenVPN server and 2 acting as OpenVPN clients.

                      In my case the OpenVPN server is not a pfSense node, it's a TP-Link router and here are its settings:
                      1fa1ff63-88eb-4429-9b50-432b111db917-image.png

                      In my case the OpenVPN client is the pfSense, that's why you see a client connection on it. Setting from your doc are more or less the same - more or less because the server is not using the TLS key and compression is needed as per built-in/hidden OpenVPN server settings (found by trial and error).

                      No static routes are defined on the pfSense itself, but its routing table is the posted image. There you can see route to the network behind TP-Link router (acting as a OpenVPN server) - 192.168.10.0/24.

                      1 Reply Last reply Reply Quote 0
                      • P
                        pwood999
                        last edited by

                        I have a TP-Link Archer as VPN server at my Dad's old house. Can ping & connect to everything in the remote LAN, but can only ping the TP-Link. The TP seems to block it's web access via the VPN, but I think that's a router limitation.

                        Not really a problem for me, but will check the config & let you know on Sunday when I'm there in case it helps.

                        No special routes, etc. in the client config. Local = 192.168.123.0/24 and remote = 192.168.2.0/24

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.