Site-to-Site OpenVPN: Ping Works HQ Firewall to DC Client, but Not DC Firewall to HQ Firewall
-
@viragomann do i need that?
-
@PlanetToysUtah
If there is only a single client connecting to the server AND you can forgo to use DCO, you can set the tunnel network mask to /30 and it will work without a CSO. -
@viragomann i head if it's in /30 that isn't good for site-site VPN's also i added a DCO and it still didn't work
-
@PlanetToysUtah said in Site-to-Site OpenVPN: Ping Works HQ Firewall to DC Client, but Not DC Firewall to HQ Firewall:
i head if it's in /30 that isn't good for site-site VPN's also i added a DCO and it still didn't work
?
DCO is a check box in the the settings of pfSense+.
And it's not compatible with a /30 tunnel mask.So what did you actually?
-
ah ok i have pfsense CE i got the ping from HQ to DC working but not DC to HQ i can ping 192.168.11.1 from DC but no clients on the next hop over at 192.168.5.0/24
-
@PlanetToysUtah
Also i did CSO (Clinet Specific Overrides) and added the correct routes and that worked. but still having issues with dc to HQ 5.0/24 network -
@PlanetToysUtah
In the CSO you have to state the client sides networks at "remote networks" and once again in the server settings.If it doesn't work either, set the servers log verbosity level to 4. Then reconnect the client and check the logs for regarding entries.
The server then logs if the CSO was applied and if the routes for the client networks were added inside OpenVPN. -
@viragomann I got all that fixed now the DC VM's can't ping any local system except for 192.168.11.1 but they can't reach 192.168.5.0/24
-
@viragomann You have any idea why I still can't ping from DC to HQ LAN?
-
@PlanetToysUtah
Is the CSO applied??
Please show the log.