Traffic Not Passing to OpenVPN Clients
-
Hi,
I've set up Openvpn using site-to-site.
Local Pfsense (10.50.0.90) - Local LAN range 10.50.0.0/24
Far side Pfsense (10.50.1.1) - Far LAN Range 10.50.1.0/24I can use Diagnostics ->Ping, and ping from the local pfsense (10.50.0.90) to a machine on the far side (10.50.1.10) so I know the VPN connection is established and the packets can flow over it and back.
But I cannot ping from a machine on the local side (10.50.0.71) to the machine on the far side (10.50.1.10).
I've added the required routes and using Diagnostics-Packet Capture on the local pfsense, i can see the ping packets are being received and therefore the routes on the local machine is correct.
But it seems that pfsense is not passing those ping packets over the VPN connection. I've added PASS ALL rules to the OpenVPN tab and the openvpn interface tab.
Any ideas why it's not working?
Many thanks in advance.
Dan -
First thing I would do is disable the windows firewall on the machines you're testing with.
Second, post the server1.conf from the server and client1.conf from the client.
-
Turning off the Windows firewall on the client didn't help unfortunately.
Here is the server1.conf file
dev ovpns1 verb 4 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 212.XXX.XXX.126 tls-server server 10.60.1.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc ifconfig 10.60.1.1 10.60.1.2 lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 10 push "route 10.50.1.0 255.255.255.0" route 10.50.0.0 255.255.255.0 ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 script-security 2And here is the client1.conf file
dev ovpnc1 verb 3 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 46.XXX.XXX.164 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote 212.XXX.XXX.126 1194 route 10.50.1.0 255.255.255.0 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key resolv-retry infiniteMany thanks
Dan -
To be totally sure you're not getting munged by Windoze effects, you have to turn of the firewall on both ends, the source and the destination.
Do you have anything else you can use to test?
The web page of a printer on one side or the other is often a good choice for a test.Can you log in to the 10.50.1.1 pfSense from the 10.50.0.0 side?
May be worth a ping test from 10.50.1.1 to 10.50.0.71 just to prove you have traffic flow in both directions.Other than that, I would be looking for something else blocking traffic after pfSense.