Site-to-Site OpenVPN: Ping Works HQ Firewall to DC Client, but Not DC Firewall to HQ Firewall
-
Hello everyone,
I’m encountering an issue with my site-to-site OpenVPN tunnel between two pfSense appliances. I can successfully ping from the HQ firewall to devices on the DC LAN, but I cannot ping from the DC firewall to the HQ firewall. Here are the details of my setup and troubleshooting efforts:
Setup Overview
Data Center (DC)
WAN IP: 199.119.XX.XXX (partially redacted for security).
LAN Subnet: 192.168.1.0/24pfSense Role: OpenVPN Server
IPv4 Tunnel Network: 192.168.127.0/24
IPv4 Local Networks: 192.168.1.0/24
IPv4 Remote Networks: 192.168.11.0/24, 192.168.5.0/24Headquarters (HQ)
LAN Subnets: 192.168.11.0/24, 192.168.5.0/24
pfSense Role: OpenVPN Client
IPv4 Local Networks: 192.168.11.0/24, 192.168.5.0/24
IPv4 Remote Networks: 192.168.1.0/24What Works
From the HQ firewall, I can ping devices on the DC LAN (192.168.1.0/24).What Doesn't Work
From the DC firewall, I cannot ping the HQ firewall’s LAN interface (192.168.11.1 or 192.168.5.1).
Traceroutes from the DC firewall to the HQ firewall fail after the OpenVPN tunnel.Troubleshooting Done
Routing:
Confirmed both sides have correct routes for remote subnets via the OpenVPN tunnel.
Firewall Rules:
Verified rules on both sides allow traffic in both directions for the respective subnets.NAT:
"Do Not NAT" rules are configured for all VPN traffic.State Tables:
Cleared state tables and rebooted both firewalls.Questions
Could this be a routing issue related to the WAN IP (199.119.XX.XXX) on the DC firewall?
How can I confirm if the issue is related to asymmetric routing or return traffic being blocked?
Should I enable OpenVPN debugging or capture additional logs to trace the issue?
Any advice or insights would be greatly appreciated. Thank you! -
@PlanetToysUtah
Since you didn't mention the client specific override, I guess, you're missing it. -
@viragomann do i need that?
-
@PlanetToysUtah
If there is only a single client connecting to the server AND you can forgo to use DCO, you can set the tunnel network mask to /30 and it will work without a CSO. -
@viragomann i head if it's in /30 that isn't good for site-site VPN's also i added a DCO and it still didn't work
-
@PlanetToysUtah said in Site-to-Site OpenVPN: Ping Works HQ Firewall to DC Client, but Not DC Firewall to HQ Firewall:
i head if it's in /30 that isn't good for site-site VPN's also i added a DCO and it still didn't work
?
DCO is a check box in the the settings of pfSense+.
And it's not compatible with a /30 tunnel mask.So what did you actually?
-
ah ok i have pfsense CE i got the ping from HQ to DC working but not DC to HQ i can ping 192.168.11.1 from DC but no clients on the next hop over at 192.168.5.0/24
-
@PlanetToysUtah
Also i did CSO (Clinet Specific Overrides) and added the correct routes and that worked. but still having issues with dc to HQ 5.0/24 network -
@PlanetToysUtah
In the CSO you have to state the client sides networks at "remote networks" and once again in the server settings.If it doesn't work either, set the servers log verbosity level to 4. Then reconnect the client and check the logs for regarding entries.
The server then logs if the CSO was applied and if the routes for the client networks were added inside OpenVPN. -
@viragomann I got all that fixed now the DC VM's can't ping any local system except for 192.168.11.1 but they can't reach 192.168.5.0/24
-
@viragomann You have any idea why I still can't ping from DC to HQ LAN?
-
@PlanetToysUtah
Is the CSO applied??
Please show the log.