OpenVPN site to site from Host to Client not working



  • Hello all,
      I am trying to use Pfsense as a OpenVPN end point for multiple client sites.  The endpoints are DD-WRT routers with OpenVPN.  I am using custom startup scripts on the client routers so I can use all configuration options.  I followed an tutorial on this board for multiple site-to-site connections for the Pfsense setup.

    The client router connects and I can ping any host behind the Pfsense firewall OK.  However, I cannot ping or connect from a host computer behind Pfsense to the client computers behind the remote routers.  If I manually configure the ifconfig on the client router and set "use static IP" on Pfsense VPN server, I can connect both directions.  However if I allow Pfsense to automatically assign tunnel addresses, I can only connect from the client to Pfsense.

    I have setup Pfsense firewall rules allowing traffic from the WAN to the LAN, but no effect.  I also have a rule allowing all ICMP traffic on the WAN to any destination.

    Any suggestions?

    Server setup: 
    UDP 1194
    Local Network: 192.168.2.0/24
    Dynamic IP: Yes
    Remote Network: 192.168.1.0/24
    Address pool: 172.32.55.0/24
    Client to Client VPN: yes
    Authentication method: PKI
    Server Wan: xx.xx.xx.xx

    Client Config:
    remote xx.xx.xx.xx
    client
    proto udp         
    port 1194
    resolv-retry infinite
    dev tun0
    persist-key
    persist-tun
    ns-cert-type server
    ca /tmp/ca.crt
    nobind
    cert /tmp/client2.crt
    key /tmp/client2.key
    verb 3
    comp-lzo
    keepalive 15 60
    pull


  • Rebel Alliance Developer Netgate

    With site-to-site PKI, the "remote network" doesn't really work like that. The Remote Network box is only for Shared Key.

    You need to do two things to get site-to-site PKI to route back to the client network:

    a) Add a "route 192.168.x.0 255.255.255.0;" line in custom options, one for each remote site.
    b) Add a Client-Specific Config entry for each site, using the site's common name of their certificate. In the custom options for this site, add "iroute 192.168.x.0 255.255.255.0;"


Locked