OpenVPN site-to-site ping issue
-
Hi all,
during these days, I configured a site-to-site openVPN network with two 2.0.1 pfSense devices. It works successfully, but the ping gets blocked in one direction (but it does in the other), though I've added an "ICMP pass" rule at both sides of the LAN interfaces.
The direction that works is from the client side to the server side network: from any PCs in the client side I can successfully ping all the PCs in the other network.
From the server side, however, I can ping only the LAN address of the pfSense client side. It's weird that any other protocols works (in both directions), but not the ICMP!I have sniffed (tcpdump) the network at the client side: the ICMP appears to exit from the VPN, but it seems to be dropped somewhere. The sniffing was done both on the ovpnc1 interface and the vr0 (LAN) interface of the client side: they never reach the destination (a sniffer on the destination confirmed this statement). No problem on the opposite direction.
This is the output of tcpdump on the LAN interface at the client side:
tcpdump -n -i vr0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vr0, link-type EN10MB (Ethernet), capture size 96 bytes 17:10:33.530854 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 0, length 64 17:10:34.549890 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 1, length 64 17:10:35.564848 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 2, length 64 17:10:36.580282 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 3, length 64 17:10:37.595589 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 4, length 64
10.0.10.1 is the gateway of the OpenVPN tunnel and 192.168.8.15 is a PC on the client side network. It seems that those packets never go out from the pfSense, though there is an ICMP pass rule! As you can see, you cannot see the ICMP echo reply. All the other protocols (TCP, UDP, …) work successfully.
These are my conf files.
The CLIENT:dev ovpnc1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xx.yyy.zz.ww tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote aa.bb.cc.dd 11194 ifconfig 10.0.10.2 10.0.10.1 route 10.10.10.0 255.255.255.0 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 comp-lzo resolv-retry infinite
The SERVER:
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local aa.bb.cc.dd tls-server server 10.0.10.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc ifconfig 10.0.10.1 10.0.10.2 tls-verify /var/etc/openvpn/server1.tls-verify.php lport 11194 management /var/etc/openvpn/server1.sock unix push "route 10.10.10.0 255.255.255.0" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo push "route 192.168.8.0 255.255.255.0" route 192.168.8.0 255.255.255.0 client-to-client
and the CSC file:
iroute 192.168.8.0 255.255.255.0
Rule for the OpenVPN interfaces (both sides): any protocol, any destination, any source PASS
Where am I wrong? Or is a bug at the firewall side? I also added a complete pass rule for any protocol, but the ICMP packet doesn't go out from the openVPN client device.
-
OpenVPN traffic needs rules on the OpenVPN interface, maybe that's what you're missing. LAN rules are for outbound, OpenVPN rules for inbound.
-
@cmb:
OpenVPN traffic needs rules on the OpenVPN interface, maybe that's what you're missing. LAN rules are for outbound, OpenVPN rules for inbound.
I found the issue: it was a firewall blocking any incoming packet from a network outside the trusted one (the local network). Adding the remote network in the personal firewall, OpenVPN works like a charm!
Anyway, thank you for your reply!