OpenVPN site to site from Host to Client not working
-
Hello all,
I am trying to use Pfsense as a OpenVPN end point for multiple client sites. The endpoints are DD-WRT routers with OpenVPN. I am using custom startup scripts on the client routers so I can use all configuration options. I followed an tutorial on this board for multiple site-to-site connections for the Pfsense setup.The client router connects and I can ping any host behind the Pfsense firewall OK. However, I cannot ping or connect from a host computer behind Pfsense to the client computers behind the remote routers. If I manually configure the ifconfig on the client router and set "use static IP" on Pfsense VPN server, I can connect both directions. However if I allow Pfsense to automatically assign tunnel addresses, I can only connect from the client to Pfsense.
I have setup Pfsense firewall rules allowing traffic from the WAN to the LAN, but no effect. I also have a rule allowing all ICMP traffic on the WAN to any destination.
Any suggestions?
Server setup:
UDP 1194
Local Network: 192.168.2.0/24
Dynamic IP: Yes
Remote Network: 192.168.1.0/24
Address pool: 172.32.55.0/24
Client to Client VPN: yes
Authentication method: PKI
Server Wan: xx.xx.xx.xxClient Config:
remote xx.xx.xx.xx
client
proto udp
port 1194
resolv-retry infinite
dev tun0
persist-key
persist-tun
ns-cert-type server
ca /tmp/ca.crt
nobind
cert /tmp/client2.crt
key /tmp/client2.key
verb 3
comp-lzo
keepalive 15 60
pull
-
With site-to-site PKI, the "remote network" doesn't really work like that. The Remote Network box is only for Shared Key.
You need to do two things to get site-to-site PKI to route back to the client network:
a) Add a "route 192.168.x.0 255.255.255.0;" line in custom options, one for each remote site.
b) Add a Client-Specific Config entry for each site, using the site's common name of their certificate. In the custom options for this site, add "iroute 192.168.x.0 255.255.255.0;"
