Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic Not Passing to OpenVPN Clients

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dan_j
      last edited by

      Hi,

      I've set up Openvpn using site-to-site.

      Local Pfsense (10.50.0.90) - Local LAN range 10.50.0.0/24
      Far side Pfsense (10.50.1.1) - Far LAN Range 10.50.1.0/24

      I can use Diagnostics ->Ping, and ping from the local pfsense (10.50.0.90) to a machine on the far side (10.50.1.10) so I know the VPN connection is established and the packets can flow over it and back.

      But I cannot ping from a machine on the local side (10.50.0.71) to the machine on the far side (10.50.1.10).

      I've added the required routes and using Diagnostics-Packet Capture on the local pfsense, i can see the ping packets are being received and therefore the routes on the local machine is correct.

      But it seems that pfsense is not passing those ping packets over the VPN connection. I've added PASS ALL rules to the OpenVPN tab and the openvpn interface tab.

      Any ideas why it's not working?

      Many thanks in advance.
      Dan

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        First thing I would do is disable the windows firewall on the machines you're testing with.

        Second, post the server1.conf from the server and client1.conf from the client.

        1 Reply Last reply Reply Quote 0
        • D
          dan_j
          last edited by

          Turning off the Windows firewall on the client didn't help unfortunately.

          Here is the server1.conf file

          
          dev ovpns1
          verb 4
          dev-type tun
          dev-node /dev/tun1
          writepid /var/run/openvpn_server1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          auth SHA1
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 212.XXX.XXX.126
          tls-server
          server 10.60.1.0 255.255.255.0
          client-config-dir /var/etc/openvpn-csc
          ifconfig 10.60.1.1 10.60.1.2
          lport 1194
          management /var/etc/openvpn/server1.sock unix
          max-clients 10
          push "route 10.50.1.0 255.255.255.0"
          route 10.50.0.0 255.255.255.0
          ca /var/etc/openvpn/server1.ca 
          cert /var/etc/openvpn/server1.cert 
          key /var/etc/openvpn/server1.key 
          dh /etc/dh-parameters.2048
          script-security 2
          
          

          And here is the client1.conf file

          
          dev ovpnc1
          verb 3
          dev-type tun
          dev-node /dev/tun1
          writepid /var/run/openvpn_client1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          auth SHA1
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 46.XXX.XXX.164
          tls-client
          client
          lport 0
          management /var/etc/openvpn/client1.sock unix
          remote 212.XXX.XXX.126 1194
          route 10.50.1.0 255.255.255.0
          ca /var/etc/openvpn/client1.ca 
          cert /var/etc/openvpn/client1.cert 
          key /var/etc/openvpn/client1.key 
          resolv-retry infinite
          
          

          Many thanks
          Dan

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by

            To be totally sure you're not getting munged by Windoze effects, you have to turn of the firewall on both ends, the source and the destination.

            Do you have anything else you can use to test?
            The web page of a printer on one side or the other is often a good choice for a test.

            Can you log in to the 10.50.1.1 pfSense from the 10.50.0.0 side?
            May be worth a ping test from 10.50.1.1 to 10.50.0.71 just to prove you have traffic flow in both directions.

            Other than that, I would be looking for something else blocking traffic after pfSense.

            -jfp

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.