Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open VPN Site to Multi Site Only works to 1 of the 2 sites

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tier4
      last edited by

      So this is the first time I am using openVPN to connect multiple sites. This is the basic layout. I am able to ping across the 1194 link but get no response on the 1199 link. I do see the the packets coming in….

      192.168.0.1/24 <---------------------------------------> 192.168.10.0/24 <---------------------------------------------> 192.168.0.0/24

      Port 1199                192.168.30.0/24                                                          192.168.11.0/24                          Port1194

      CAN'T Ping                                                                                                                  CAN Ping

      I have checked all FW rules and routes and they look the same for both sides…

      What am I missing?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What are the rules on all of the OpenVPN tabs?

        When connections come INTO pfSense, there needs to be a rule on that host's VPN tab passing that traffic.

        And the virtual interfaces are only part of the picture.  What are all the LAN subnets at each site?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          Tier4
          last edited by

          All OVPN have an Any - Any rule in them

          sites are
          192.168.0.1 - Lan /Remote client/Can't Ping
          192.168.10.1 - Lan / Server/Main Site
          192.168.1.1 - Lan / Remote Client/ Can Ping

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @Tier4:

            All OVPN have an Any - Any rule in them

            sites are
            192.168.0.1 - Lan /Remote client/Can't Ping
            192.168.10.1 - Lan / Server/Main Site
            192.168.1.1 - Lan / Remote Client/ Can Ping

            Can't ping what?  You can't ping the OpenVPN tunnel addresses in most cases.  They're not really interfaces and aren't running an ICMP stack.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              Tier4
              last edited by

              I can' ping the 192.168.0.1 Lan interface on the other end of the OpenVPN tunnel. In the case of the side that I can ping, I can ping the 192.168.11.1&2 the tunnel addresses

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You need to make sure a route for 192.168.0.0/24 is being pushed out to the remote client.
                You need to make sure a route for 192.168.1.0/24 is being pushed to the other remote client.

                You need to make sure that OpenVPN firewall rules on the main site and the 192.168.1.1 site pass the traffic.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.