VPN site-to-site: Error ping between networks

  • Hi,

    I am with a VPN using OpenVPN. In the figures below shows how I am totally using even with the settings in pfsense.

    The problem is only in connectivity between the sides of the VPN. The computer B achieves a ping not in the network or vice versa in the method Site-to-Site.

    However pfsense the Server and Client pfsense to ping usually between networks A and B without any problems, including connecting a computer using clint-to-site he achieves a ping.

    – I have no route static created on servers pfsense.

    -- The computers are all disabled the Firewall in Windows XP.

    Please presciso of help.


  • ….

    Continuing .. settings servers pfsense

  • i think i know what your problem is:
    The field "local network" is used to push the route to your local network to the connecting client.
    Since your connecting client represents a whole network, you need to add to the server config a command that adds an entry for this subnet to your server routing table, that points to the connecting client.

    You might want to take a look at the man page of openVPN.
    If i remember correctly the iroute command will help you with this.

    Use for this the tab "Client-specific configuration" since you want the route for this subnet added dynamically depending on with which IP the client connects.


    –iroute network [netmask]
        Generate an internal route to a specific client. The netmask parameter, if omitted, defaults to

    This directive can be used to route a fixed subnet from the server to a particular client, regardless of where the client is connecting from. Remember that you must also add the route to the system routing table as well (such as by using the –route directive). The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.

    This option must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client-connect script.

    The --iroute directive also has an important interaction with --push "route ...". --iroute essentially defines a subnet which is owned by a particular client (we will call this client A). If you would like other clients to be able to reach A's subnet, you can use --push "route ..." together with --client-to-client to effect this. In order for all clients to see A's subnet, OpenVPN must push this route to all clients EXCEPT for A, since the subnet is already owned by A. OpenVPN accomplishes this by not not pushing a route to a client if it matches one of the client's iroutes.

    Alternatively (and i think that this would be a better solution), you setup a site-to-site connection with a shared key to connect your two networks, and a second VPN server to which your mobile clients can connect.

  • I may not have been clearer. What I want is to make a site-to-site without the need to take connecting customers. The problem is that I do not know how to Network Viewing (ping) the B network through VPN. If the problem is how do routas

    Anyone can help me, mentioning the routes needed.


  • I think you do not understand how OpenVPN works….
    OpenVPN adds the needed routes dynamically.

    If you want only site-to-site then you should definitly go with the secnd solution and use a Shared Key.
    Please read the HowTo's on http://openvpn.net or one of the guides that exist.
    (also try to search the forum. there are quite a few people with you kind of setup).

  • Problem solved

    Have make the interconnection of networks through the use of shared key as its aid for site-to-site, I thought that if used certificates, that was the problem, not Tuesday ping between networks A and B.

    Thanks to all

Log in to reply