Traffic Not Passing to OpenVPN Clients

dan_j

Hi,

I've set up Openvpn using site-to-site.

Local Pfsense (10.50.0.90) - Local LAN range 10.50.0.0/24
Far side Pfsense (10.50.1.1) - Far LAN Range 10.50.1.0/24

I can use Diagnostics ->Ping, and ping from the local pfsense (10.50.0.90) to a machine on the far side (10.50.1.10) so I know the VPN connection is established and the packets can flow over it and back.

But I cannot ping from a machine on the local side (10.50.0.71) to the machine on the far side (10.50.1.10).

I've added the required routes and using Diagnostics-Packet Capture on the local pfsense, i can see the ping packets are being received and therefore the routes on the local machine is correct.

But it seems that pfsense is not passing those ping packets over the VPN connection. I've added PASS ALL rules to the OpenVPN tab and the openvpn interface tab.

Any ideas why it's not working?

Many thanks in advance.
Dan

marvosa

First thing I would do is disable the windows firewall on the machines you're testing with.

Second, post the server1.conf from the server and client1.conf from the client.

dan_j

Turning off the Windows firewall on the client didn't help unfortunately.

Here is the server1.conf file

dev ovpns1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 212.XXX.XXX.126
tls-server
server 10.60.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.60.1.1 10.60.1.2
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 10.50.1.0 255.255.255.0"
route 10.50.0.0 255.255.255.0
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.2048
script-security 2

And here is the client1.conf file

dev ovpnc1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 46.XXX.XXX.164
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote 212.XXX.XXX.126 1194
route 10.50.1.0 255.255.255.0
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
resolv-retry infinite

Many thanks
Dan

divsys

To be totally sure you're not getting munged by Windoze effects, you have to turn of the firewall on both ends, the source and the destination.

Do you have anything else you can use to test?
The web page of a printer on one side or the other is often a good choice for a test.

Can you log in to the 10.50.1.1 pfSense from the 10.50.0.0 side?
May be worth a ping test from 10.50.1.1 to 10.50.0.71 just to prove you have traffic flow in both directions.

Other than that, I would be looking for something else blocking traffic after pfSense.