Data passing in one direction only, static site to site VPN



  • I've got a static key site to site VPN. The client can access everything on the LAN of the server perfect. Worked first time. However, when I try to access anything on the client from the server, it's all not getting there. Can't even ping the tunnel address on the other side. The configs are right I think, pretty straightforward. Is there anything I should start checking first? I tried adding pass rules on the server, but that didn't do anything. Haven't done anything on the client for pass rules.

    It's like the server is not routing to the other side, not even attempting.



  • Ok, I hadn't added the NAT statement on the server to the remote LAN subnet. I did that, and it still doesn't work. Are there anymore statements anywhere else to add? Do I have to add a tunnel NAT statement or anything?



  • Whoa - before you start adding NAT rules (which usually aren't needed at all) all over the place, let's get a little more info.

    Can you post a simple network diagram of what you're trying to accomplish?

    How did you setup the OpenVPN tunnel, using the Wizard or by hand?

    What versions of pfSense are you running on the client and the server?



  • No problem..sorry. I read a guide that said I needed the NAT, but it seems I may not.

    Ok, here it goes

    Static, site to site VPN, TUN, peer to peer shared key, AES256CBC,SHA1(160)

    Server:
    tunnel network: 10.10.10.0/30
    IPV4 local network: 192.168.1.0/24
    IPV4 remote network: 192.168.2.0/24

    Client:
    tunnel network: 10.10.10.0/30
    IPV4 local network: 192.168.2.0/24
    IPV4 remote network: 192.168.1.0/24

    From client, can access all of server LAN
    From server, can't access anything at all

    Diagnostics-> routes on server says:
    default         mypublicIP UGS 2438815 1500 sk0
    10.10.10.1 link#14 UHS 0 16384 lo0
    10.10.10.2 link#14 UH 0 1500 ovpns2
    127.0.0.1 link#12 UH 262134 16384 lo0
    192.168.1.0/24 link#6 U 3480458 1500 sk1
    192.168.1.1 mypublicIP UGHS 0 16384 sk0
    192.168.2.0/24 10.10.10.2 UGS 17 1500 ovpns2

    I've taken out a few things from the diagnostics pertaining to a openVPN cert server and some other internal interfaces by the way



  • Are you using Windows machines on the client LAN?

    Have you made sure the Windows firewall(s) aren't blocking traffic?



  • Yes windows machine, but I'm primarily trying to get into the other pfSense box (client's). But point well taken regarding windows. I have one windows machine, one pfsense, one access point and that's it. Can't get into any of them.



  • Adding what's in the NAT outbound table, if helpful:



  • Netgate

    Anybody know where auto-NAT would be picking up those /30 and /32 networks?  That's certainly oddball.



  • Hmmmm, I'm with Derelict, there's at least some weird leftovers from something else going on here (or we're missing some other info).

    It might be worth taking a copy of your current config and resetting to default, then add back the pieces you have configured one at a time to try and diag what's causing the grief

    If you add back DHCP, then OpenVPN (in that order) you can isolate the problem pretty quickly.

    Barring that you're stuck adding firewall rules that log particular traffic to see what's happening.

    In general I would aim for simplifying your setup rather than adding more rules/NAT/etc.

    The hardest part of OpenVPN S2S links is getting the keys and tunnels configured correctly in my experience.
    The only associated rule you typically need is an "Allow all" on the OpenVPN interface (Do you have that?)
    Once you have a tunnel up and traffic passing, it's typically a "fire and forget" setup, they just work.

    Can you post your Firewall->Rules for the WAN, LAN, and OpenVPN tabs?



  • the 192.168.1.18x series of addresses are PPTP that's hardcoded to a specific client logins.
    Correction, 188 is a hardcoded PPTP. My PPTP range is .180-.188, so I don't really know what's up with those.



  • Says it's connected. This is the ovpn status at the server.



  • Netgate

    Haven't done anything on the client for pass rules.

    For the server to connect to client assets there needs to be pass rules on the OpenVPN tab or Assigned interface tab on the client letting the traffic in from server's LAN.



  • @Derelict:

    Haven't done anything on the client for pass rules.

    For the server to connect to client assets there needs to be pass rules on the OpenVPN tab or Assigned interface tab on the client letting the traffic in from server's LAN.

    Ok this must be it then, because I didn't do anything special on the client side. Will have to wait to go over there and do it.



  • Sorry folks, it was a firewall rules. On the client side I had to put allow ALL rules into the OpenVPN firewall tab section. It was already done at the server by virtue of being the server and whatever guide I read. Thanks for the advice.