OpenVPN site to site from Host to Client not working
skykingstlmo last edited by
I am trying to use Pfsense as a OpenVPN end point for multiple client sites. The endpoints are DD-WRT routers with OpenVPN. I am using custom startup scripts on the client routers so I can use all configuration options. I followed an tutorial on this board for multiple site-to-site connections for the Pfsense setup.
The client router connects and I can ping any host behind the Pfsense firewall OK. However, I cannot ping or connect from a host computer behind Pfsense to the client computers behind the remote routers. If I manually configure the ifconfig on the client router and set "use static IP" on Pfsense VPN server, I can connect both directions. However if I allow Pfsense to automatically assign tunnel addresses, I can only connect from the client to Pfsense.
I have setup Pfsense firewall rules allowing traffic from the WAN to the LAN, but no effect. I also have a rule allowing all ICMP traffic on the WAN to any destination.
Local Network: 192.168.2.0/24
Dynamic IP: Yes
Remote Network: 192.168.1.0/24
Address pool: 22.214.171.124/24
Client to Client VPN: yes
Authentication method: PKI
Server Wan: xx.xx.xx.xx
keepalive 15 60
With site-to-site PKI, the "remote network" doesn't really work like that. The Remote Network box is only for Shared Key.
You need to do two things to get site-to-site PKI to route back to the client network:
a) Add a "route 192.168.x.0 255.255.255.0;" line in custom options, one for each remote site.
b) Add a Client-Specific Config entry for each site, using the site's common name of their certificate. In the custom options for this site, add "iroute 192.168.x.0 255.255.255.0;"