Traffic Not Passing to OpenVPN Clients



  • Hi,

    I've set up Openvpn using site-to-site.

    Local Pfsense (10.50.0.90) - Local LAN range 10.50.0.0/24
    Far side Pfsense (10.50.1.1) - Far LAN Range 10.50.1.0/24

    I can use Diagnostics ->Ping, and ping from the local pfsense (10.50.0.90) to a machine on the far side (10.50.1.10) so I know the VPN connection is established and the packets can flow over it and back.

    But I cannot ping from a machine on the local side (10.50.0.71) to the machine on the far side (10.50.1.10).

    I've added the required routes and using Diagnostics-Packet Capture on the local pfsense, i can see the ping packets are being received and therefore the routes on the local machine is correct.

    But it seems that pfsense is not passing those ping packets over the VPN connection. I've added PASS ALL rules to the OpenVPN tab and the openvpn interface tab.

    Any ideas why it's not working?

    Many thanks in advance.
    Dan



  • First thing I would do is disable the windows firewall on the machines you're testing with.

    Second, post the server1.conf from the server and client1.conf from the client.



  • Turning off the Windows firewall on the client didn't help unfortunately.

    Here is the server1.conf file

    
    dev ovpns1
    verb 4
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 212.XXX.XXX.126
    tls-server
    server 10.60.1.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.60.1.1 10.60.1.2
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route 10.50.1.0 255.255.255.0"
    route 10.50.0.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.2048
    script-security 2
    
    

    And here is the client1.conf file

    
    dev ovpnc1
    verb 3
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 46.XXX.XXX.164
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 212.XXX.XXX.126 1194
    route 10.50.1.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    resolv-retry infinite
    
    

    Many thanks
    Dan



  • To be totally sure you're not getting munged by Windoze effects, you have to turn of the firewall on both ends, the source and the destination.

    Do you have anything else you can use to test?
    The web page of a printer on one side or the other is often a good choice for a test.

    Can you log in to the 10.50.1.1 pfSense from the 10.50.0.0 side?
    May be worth a ping test from 10.50.1.1 to 10.50.0.71 just to prove you have traffic flow in both directions.

    Other than that, I would be looking for something else blocking traffic after pfSense.