OpenVPN site to site from Host to Client not working

  • Hello all,
      I am trying to use Pfsense as a OpenVPN end point for multiple client sites.  The endpoints are DD-WRT routers with OpenVPN.  I am using custom startup scripts on the client routers so I can use all configuration options.  I followed an tutorial on this board for multiple site-to-site connections for the Pfsense setup.

    The client router connects and I can ping any host behind the Pfsense firewall OK.  However, I cannot ping or connect from a host computer behind Pfsense to the client computers behind the remote routers.  If I manually configure the ifconfig on the client router and set "use static IP" on Pfsense VPN server, I can connect both directions.  However if I allow Pfsense to automatically assign tunnel addresses, I can only connect from the client to Pfsense.

    I have setup Pfsense firewall rules allowing traffic from the WAN to the LAN, but no effect.  I also have a rule allowing all ICMP traffic on the WAN to any destination.

    Any suggestions?

    Server setup: 
    UDP 1194
    Local Network:
    Dynamic IP: Yes
    Remote Network:
    Address pool:
    Client to Client VPN: yes
    Authentication method: PKI
    Server Wan: xx.xx.xx.xx

    Client Config:
    remote xx.xx.xx.xx
    proto udp         
    port 1194
    resolv-retry infinite
    dev tun0
    ns-cert-type server
    ca /tmp/ca.crt
    cert /tmp/client2.crt
    key /tmp/client2.key
    verb 3
    keepalive 15 60

  • Rebel Alliance Developer Netgate

    With site-to-site PKI, the "remote network" doesn't really work like that. The Remote Network box is only for Shared Key.

    You need to do two things to get site-to-site PKI to route back to the client network:

    a) Add a "route 192.168.x.0;" line in custom options, one for each remote site.
    b) Add a Client-Specific Config entry for each site, using the site's common name of their certificate. In the custom options for this site, add "iroute 192.168.x.0;"

Log in to reply