OpenVPN site-to-site ping issue


  • Hi all,
    during these days, I configured a site-to-site openVPN network with two 2.0.1 pfSense devices. It works successfully, but the ping  gets blocked in one direction (but it does in the other), though I've added an "ICMP pass" rule at both sides of the LAN interfaces.
    The direction that works is from the client side to the server side network: from any PCs in the client side I can successfully ping all the PCs in the other network.
    From the server side, however, I can ping only the LAN address of the pfSense client side. It's weird that any other protocols works (in both directions), but not the ICMP!

    I have sniffed (tcpdump) the network at the client side: the ICMP appears to exit from the VPN, but it seems to be dropped somewhere. The sniffing was done both on the ovpnc1 interface and the vr0 (LAN) interface of the client side: they never reach the destination (a sniffer on the destination confirmed this statement). No problem on the opposite direction.

    This is the output of tcpdump on the LAN interface at the client side:

    tcpdump -n -i vr0 icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vr0, link-type EN10MB (Ethernet), capture size 96 bytes
    
    17:10:33.530854 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 0, length 64
    17:10:34.549890 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 1, length 64
    17:10:35.564848 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 2, length 64
    17:10:36.580282 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 3, length 64
    17:10:37.595589 IP 10.0.10.1 > 192.168.8.15: ICMP echo request, id 14245, seq 4, length 64
    

    10.0.10.1 is the gateway of the OpenVPN tunnel and 192.168.8.15 is a PC on the client side network. It seems that those packets never go out from the pfSense, though there is an ICMP pass rule! As you can see, you cannot see the ICMP echo reply. All the other protocols (TCP, UDP, …) work successfully.

    These are my conf files.
    The CLIENT:

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xx.yyy.zz.ww
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote aa.bb.cc.dd 11194
    ifconfig 10.0.10.2 10.0.10.1
    route 10.10.10.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    comp-lzo
    resolv-retry infinite
    

    The SERVER:

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local aa.bb.cc.dd
    tls-server
    server 10.0.10.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.10.1 10.0.10.2
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 11194
    management /var/etc/openvpn/server1.sock unix
    push "route 10.10.10.0 255.255.255.0"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    push "route 192.168.8.0 255.255.255.0"
    route 192.168.8.0 255.255.255.0
    client-to-client
    

    and the CSC file:

    iroute 192.168.8.0 255.255.255.0
    

    Rule for the OpenVPN interfaces (both sides): any protocol, any destination, any source PASS

    Where am I wrong? Or is a bug at the firewall side? I also added a complete pass rule for any protocol, but the ICMP packet doesn't go out from the openVPN client device.


  • OpenVPN traffic needs rules on the OpenVPN interface, maybe that's what you're missing. LAN rules are for outbound, OpenVPN rules for inbound.


  • @cmb:

    OpenVPN traffic needs rules on the OpenVPN interface, maybe that's what you're missing. LAN rules are for outbound, OpenVPN rules for inbound.

    I found the issue: it was a firewall blocking any incoming packet from a network outside the trusted one (the local network). Adding the remote network in the personal firewall, OpenVPN works like a charm!

    Anyway, thank you for your reply!