OpenVPN site to site - no joy- VPN up but no talk

cjbujold

Created a site to site OpenVPN using PFSense as the router at both locations(v2.0.1) both sites connect without a problem (sharedkey).  I can ping the 10.0.8.1 or 10.0.8.2 from both sides without a problem.  No errors reported in log for openvpn or firewall log.

The issue is that neither side can ping or access PC's on the other network.  I can ping the 10.0.8.X router from the remote locations but cannot ping the actual Internal IP of the router (192.168.0.1 and 192.168.120.1).  I thought it was a routing issue so checked the route table on both PFsense device and both have an entry for the 10.0.8.1 and 10.0.8.2 route to the router and a third being the subnet route of the remote office to the remote 10.0.8.X router.  Verified each PFsense server and both have a Openvpn route that states anything to anything.

I'm at a lost to find why we cannot actually connect to any of the remote PC's, yet the openvpn tunnel is up.  The setup used is from the user guide available on the PFsense web site. (http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29)

Any help would be appreciated

Thanks
cjb

Nachtfalke

On the OpenVPN Server with IP you need to add a route to the network behind the OpenVPN client (10.0.8.2)
On OpenVPN Server go to custom Options and add:

route 192.168.120.0 255.255.255.0;

Probably you do not need this entry because you entered this network in "Remote Network" in the OpenVPN Server options.

On the client OpenVPN add this:

route 192.168.0.0 255.255.255.0;
iroute 192.168.120.0 255.255.255.0;

Check and allow traffic on bothe firewalls for OpenVPN.
For testing purposes a simple "Allow any to any" rule should work.

kartweel

Hi,

I have this exact issue. The proposed solution doesn't work for me. If I add iroute on the client it says it is not valid.

Did you end up getting this working?

kartweel

So I ended up assigning an interface, which then allowed any PC to access the server on the other end, but not the remote network. So I then created a gateway and added a static route at each end to point to the other network, and gave my interface a static IP then it worked. So it really seems that I needed to duplicate the OpenVPN configuration manually for it to work. At least it works I guess… :)

jockwatson

Is that really the only way to get this to work for even a simple site to site?

Can I clarify with you kartweel?

Did you assign interfaces on both client and server, and did you then assign the same static IP to the interface(s) as the OpenVPN would have been set to (so 10.0.8.1 at the server end on my config)?

Then you add routes at each end?

heper

entering the remote an local networks on both ends should do the trick for simple site-2-site vpn's using openvpn.

i've done this a dozen times without fail