Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN site to site from Host to Client not working

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      skykingstlmo
      last edited by

      Hello all,
        I am trying to use Pfsense as a OpenVPN end point for multiple client sites.  The endpoints are DD-WRT routers with OpenVPN.  I am using custom startup scripts on the client routers so I can use all configuration options.  I followed an tutorial on this board for multiple site-to-site connections for the Pfsense setup.

      The client router connects and I can ping any host behind the Pfsense firewall OK.  However, I cannot ping or connect from a host computer behind Pfsense to the client computers behind the remote routers.  If I manually configure the ifconfig on the client router and set "use static IP" on Pfsense VPN server, I can connect both directions.  However if I allow Pfsense to automatically assign tunnel addresses, I can only connect from the client to Pfsense.

      I have setup Pfsense firewall rules allowing traffic from the WAN to the LAN, but no effect.  I also have a rule allowing all ICMP traffic on the WAN to any destination.

      Any suggestions?

      Server setup: 
      UDP 1194
      Local Network: 192.168.2.0/24
      Dynamic IP: Yes
      Remote Network: 192.168.1.0/24
      Address pool: 172.32.55.0/24
      Client to Client VPN: yes
      Authentication method: PKI
      Server Wan: xx.xx.xx.xx

      Client Config:
      remote xx.xx.xx.xx
      client
      proto udp         
      port 1194
      resolv-retry infinite
      dev tun0
      persist-key
      persist-tun
      ns-cert-type server
      ca /tmp/ca.crt
      nobind
      cert /tmp/client2.crt
      key /tmp/client2.key
      verb 3
      comp-lzo
      keepalive 15 60
      pull

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        With site-to-site PKI, the "remote network" doesn't really work like that. The Remote Network box is only for Shared Key.

        You need to do two things to get site-to-site PKI to route back to the client network:

        a) Add a "route 192.168.x.0 255.255.255.0;" line in custom options, one for each remote site.
        b) Add a Client-Specific Config entry for each site, using the site's common name of their certificate. In the custom options for this site, add "iroute 192.168.x.0 255.255.255.0;"

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.