Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site OpenVPN: Ping Works HQ Firewall to DC Client, but Not DC Firewall to HQ Firewall

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 2 Posters 674 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PlanetToysUtah
      last edited by

      Hello everyone,

      I’m encountering an issue with my site-to-site OpenVPN tunnel between two pfSense appliances. I can successfully ping from the HQ firewall to devices on the DC LAN, but I cannot ping from the DC firewall to the HQ firewall. Here are the details of my setup and troubleshooting efforts:

      Setup Overview

      Data Center (DC)
      WAN IP: 199.119.XX.XXX (partially redacted for security).
      LAN Subnet: 192.168.1.0/24

      pfSense Role: OpenVPN Server
      IPv4 Tunnel Network: 192.168.127.0/24
      IPv4 Local Networks: 192.168.1.0/24
      IPv4 Remote Networks: 192.168.11.0/24, 192.168.5.0/24

      Headquarters (HQ)
      LAN Subnets: 192.168.11.0/24, 192.168.5.0/24
      pfSense Role: OpenVPN Client
      IPv4 Local Networks: 192.168.11.0/24, 192.168.5.0/24
      IPv4 Remote Networks: 192.168.1.0/24

      What Works
      From the HQ firewall, I can ping devices on the DC LAN (192.168.1.0/24).

      What Doesn't Work
      From the DC firewall, I cannot ping the HQ firewall’s LAN interface (192.168.11.1 or 192.168.5.1).
      Traceroutes from the DC firewall to the HQ firewall fail after the OpenVPN tunnel.

      Troubleshooting Done
      Routing:
      Confirmed both sides have correct routes for remote subnets via the OpenVPN tunnel.
      Firewall Rules:
      Verified rules on both sides allow traffic in both directions for the respective subnets.

      NAT:
      "Do Not NAT" rules are configured for all VPN traffic.

      State Tables:
      Cleared state tables and rebooted both firewalls.

      Questions
      Could this be a routing issue related to the WAN IP (199.119.XX.XXX) on the DC firewall?
      How can I confirm if the issue is related to asymmetric routing or return traffic being blocked?
      Should I enable OpenVPN debugging or capture additional logs to trace the issue?
      Any advice or insights would be greatly appreciated. Thank you!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @PlanetToysUtah
        last edited by

        @PlanetToysUtah
        Since you didn't mention the client specific override, I guess, you're missing it.

        P 1 Reply Last reply Reply Quote 0
        • P
          PlanetToysUtah @viragomann
          last edited by

          @viragomann do i need that?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @PlanetToysUtah
            last edited by

            @PlanetToysUtah
            If there is only a single client connecting to the server AND you can forgo to use DCO, you can set the tunnel network mask to /30 and it will work without a CSO.

            P 1 Reply Last reply Reply Quote 0
            • P
              PlanetToysUtah @viragomann
              last edited by

              @viragomann i head if it's in /30 that isn't good for site-site VPN's also i added a DCO and it still didn't work

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @PlanetToysUtah
                last edited by

                @PlanetToysUtah said in Site-to-Site OpenVPN: Ping Works HQ Firewall to DC Client, but Not DC Firewall to HQ Firewall:

                i head if it's in /30 that isn't good for site-site VPN's also i added a DCO and it still didn't work

                ?
                DCO is a check box in the the settings of pfSense+.
                And it's not compatible with a /30 tunnel mask.

                So what did you actually?

                1 Reply Last reply Reply Quote 0
                • P
                  PlanetToysUtah
                  last edited by

                  ah ok i have pfsense CE i got the ping from HQ to DC working but not DC to HQ i can ping 192.168.11.1 from DC but no clients on the next hop over at 192.168.5.0/24

                  P 1 Reply Last reply Reply Quote 0
                  • P
                    PlanetToysUtah @PlanetToysUtah
                    last edited by

                    @PlanetToysUtah
                    Also i did CSO (Clinet Specific Overrides) and added the correct routes and that worked. but still having issues with dc to HQ 5.0/24 network

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @PlanetToysUtah
                      last edited by

                      @PlanetToysUtah
                      In the CSO you have to state the client sides networks at "remote networks" and once again in the server settings.

                      If it doesn't work either, set the servers log verbosity level to 4. Then reconnect the client and check the logs for regarding entries.
                      The server then logs if the CSO was applied and if the routes for the client networks were added inside OpenVPN.

                      1 Reply Last reply Reply Quote 0
                      • P
                        PlanetToysUtah
                        last edited by

                        @viragomann I got all that fixed now the DC VM's can't ping any local system except for 192.168.11.1 but they can't reach 192.168.5.0/24

                        P 1 Reply Last reply Reply Quote 0
                        • P
                          PlanetToysUtah @PlanetToysUtah
                          last edited by

                          @viragomann You have any idea why I still can't ping from DC to HQ LAN?

                          V 1 Reply Last reply Reply Quote 0
                          • V
                            viragomann @PlanetToysUtah
                            last edited by

                            @PlanetToysUtah
                            Is the CSO applied??
                            Please show the log.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.