[SOLVED] OpenVPN Site to Site >> Can't ping subnet on one side



  • I have a network that looks like this:

    192.168.10.0/24
       |
       |
      LAN
    PFSense A (OpenVPN Server)
     WAN
       |
       |
     WAN
    PFSense B (OpenVPN Client)
      LAN                                 OPT1
        |                                     |
        |                                     |
    192.168.20.0/24            157.168.30.0/24

    I have site to site VPN working between my client and server networks so I can ping from one LAN to the other.
    I can ping addresses on the OPT1 network from the LAN network on the client side, but not from the server side. I added routes to OpenVPN on the server side for the OPT1 network and I see the ping in the firewall logs on the client side, so it makes it through the VPN. Then it just seems to get lost. I have tried static routing and policy based routing in the OpenVPN firewall rules on the client side, but still no luck. What am I doing wrong?

    [Update] Ok, so I did a packet capture on OPT1 and it looks like the ping is making out that door, but the packet contains the IP address of the requesting host from the OpenVPN server side (192.168.10.130), not the OPT1 interface IP address.

    09:01:28.142143 IP 157.168.10.130 > 157.168.30.241: ICMP echo request, id 18259, seq 0, length 64
    09:01:29.143305 IP 157.168.10.130 > 157.168.30.241: ICMP echo request, id 18259, seq 1, length 64
    09:01:30.144301 IP 157.168.10.130 > 157.168.30.241: ICMP echo request, id 18259, seq 2, length 64

    When I ping from the LAN, the OPT1 interface IP address (157.168.30.61) is used and I get a reply to the echo:

    09:01:28.142143 IP 157.168.30.61 > 157.168.30.241: ICMP echo request, id 18259, seq 0, length 64
    09:01:28.142371 IP 157.168.30.241 > 157.168.30.61: ICMP echo reply, id 18259, seq 0, length 64
    09:01:29.143305 IP 157.168.30.61 > 157.168.30.241: ICMP echo request, id 18259, seq 1, length 64
    09:01:29.143556 IP 157.168.30.241 > 157.168.30.61: ICMP echo reply, id 18259, seq 1, length 64
    09:01:30.144301 IP 157.168.30.61 > 157.168.30.241: ICMP echo request, id 18259, seq 2, length 64
    09:01:30.144492 IP 157.168.30.241 > 157.168.30.61: ICMP echo reply, id 18259, seq 2, length 64

    Why is this happening? I assume the receiving host gets this echo request and doesn't respond because the requestor is not on the same subnet or something like that. How do I get traffic coming from the OpenVPN server side to look like its coming from the OPT1 interface IP address when it goes out that interface?



  • *** BUMP ****

    Please help! Any suggestions would be greatly appreciated!



  • Ok, I figured out the problem. The traceroute tipped me off. Traffic coming from my OpenVPN tunnel to the OPT1 network wasn't being NAT'ed. This is why I wasn't getting a return from the ping. I enabled Advanced Outbound NAT and defined my OpenVPN tunnel as a network to NAT for the OPT1 interface (don't forget to to add rules for WAN too in Advanced Outbound NAT, since Advanced Outbound NAT disabled all the automatic outbound NATing).


Log in to reply