Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site OpenVPN : server-side can only reach client-side router, no other LAN devices

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 414 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hts
      last edited by

      I have set up a site-to-site OpenVPN connection using the recipe at https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
      with pfSense 2.7.2 and a lot of it works.

      From the client side, I can access anything on the server side LAN (as expected for any client).

      From the server side I can ping and open a browser to the client side's pfSense web interface using it's LAN address. However I cannot ping any other devices on the client-side LAN. Client-side LAN devices can ping each other.

      Some detail/setting/rule must be missing or mis-configured.

      Help troubleshooting will be appreciated.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @hts
        last edited by

        @hts
        Is the client VPN endpoint the default gateway in its local network?

        Do you have rules on the VPN interface to pass incoming traffic?

        Also consider, that the local computers block access from remote itself by default by their own firewalls.

        1 Reply Last reply Reply Quote 0
        • H
          hts
          last edited by

          Yes, client VPN endpoint is default gateway.
          Yes, rules to pass incoming traffic.
          Local computer firewall allows ICMPv4 Echo (ping) for public, private and domain.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @hts
            last edited by

            @hts
            Are there on the servers LAN also rules in place to allow access to the remote site?

            I assume, you have configured the CSO and it is working. Otherwise access to the clients LAN IP wouldn't be possible.

            1 Reply Last reply Reply Quote 0
            • H
              hts
              last edited by

              Yes to both.

              I don't believe I could get to the client's router/endpoint LAN address without those being in place. But I'm looking for any methods to see where the traffic is being blocked.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @hts
                last edited by

                @hts
                Diagnostic > Packet Capture is the tool for investigate this issue.

                Sniff the traffic on the clients VPN and LAN to see, how far you get.

                1 Reply Last reply Reply Quote 0
                • H
                  hts
                  last edited by

                  I wanted to follow up to give the "resolution" to my problem. I reset the pfSense box to defaults, re-imported CA and certificate, re-added client, and everything worked.

                  One "interesting" observation before the above was that Diagnostic > Packet Capture showed duplicates of packets for the filtered destination as if some deleted firewall rules were still active.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hts
                    last edited by

                    For clarity, I reset the client pfsense box to factory defaults.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.