Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nodes on OPVN server side cannot ping client and beyond

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 5 Offline
      5mall5nail5
      last edited by

      Hi guys - got a pfsense vm running very well on 2.1.5 in Esxi 5.5 U2

      I've setup OpenVPN and have my remote location connecting with an Asus AC68U router running OpenVPN client so that I can have a site to site.

      The client LAN is 192.168.1.0/24 and the Server LAN is 192.168.50.0/24

      Client 192.168.1.26 can ping and RDP to 192.168.50.25, but not vice versa.

      What option am I missing?

      Thanks guys

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        Rules on the client OpenVPN end could be blocking incoming session start from the Server LAN end.
        Client 192.168.1.26 might have a firewall stopping all traffic (or maybe stopping traffic from outside its own subnet).
        Post some actual settings/rules screens if you are stuck.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • 5 Offline
          5mall5nail5
          last edited by

          @phil.davis:

          Rules on the client OpenVPN end could be blocking incoming session start from the Server LAN end.
          Client 192.168.1.26 might have a firewall stopping all traffic (or maybe stopping traffic from outside its own subnet).
          Post some actual settings/rules screens if you are stuck.

          Thanks for the reply - I used the wizards to simply create the server side including certs and all.  Client connects fine.  Here are my FW rules on the pfSense:

          pfSense Firewall Rules by Jon Kensy, on Flickr

          pfsense OpenVPN FW Rules by Jon Kensy, on Flickr

          Here's the ovpn file that is exported from the pfSense firewall and is what is used on the client:

          dev tun
          persist-tun
          persist-key
          cipher AES-256-CBC
          auth SHA1
          tls-client
          client
          resolv-retry infinite
          remote <redacted>1194 udp
          lport 0
          verify-x509-name "bridgetownovpn" name
          auth-user-pass
          comp-lzo

          <ca>–---BEGIN CERTIFICATE-----
          redacted
          -----END CERTIFICATE-----</ca>
          <cert>-----BEGIN CERTIFICATE-----
          redacted
          -----END CERTIFICATE-----</cert>
          <key>-----BEGIN PRIVATE KEY-----
          redacted
          -----END PRIVATE KEY-----</key>
          <tls-auth>#

          2048 bit OpenVPN static key

          -----BEGIN OpenVPN Static key V1-----
          redacted
          -----END OpenVPN Static key V1-----</tls-auth>
          key-direction 1

          So basically the other router (the client, Asus AC68) knows to route requests for 192.168.50.x through the gateway on that side (192.168.1.1), but my machines either do not know what to do with requests for 192.168.1.x or my gateway (pfSense 192.168.50.1) doesn't handle them.</redacted>

          1 Reply Last reply Reply Quote 0
          • 5 Offline
            5mall5nail5
            last edited by

            Also very interesting - when you go to create an OpenVPN setup through the wizard in pfSense there's no field for "remote network", however when you go to create an OpenVPN server setup without the wizard there's an option that says:

            Remote networks :  [                    ]
            These are the IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don't want a site-to-site VPN.

            That's sounding exactly like what I need - so it seems the wizard does not offer the same options as the non-wizard?

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              The wizard is for Remote Access (Road warrior) setups.  Not site-to-site.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • 5 Offline
                5mall5nail5
                last edited by

                @Derelict:

                The wizard is for Remote Access (Road warrior) setups.  Not site-to-site.

                Yep!  Figured that out now lol.

                Got it going with the standard setup for site to site using just shared key.

                Thanks guys - both sides ping!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.