Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Data passing in one direction only, static site to site VPN

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 3 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gazoo
      last edited by

      I've got a static key site to site VPN. The client can access everything on the LAN of the server perfect. Worked first time. However, when I try to access anything on the client from the server, it's all not getting there. Can't even ping the tunnel address on the other side. The configs are right I think, pretty straightforward. Is there anything I should start checking first? I tried adding pass rules on the server, but that didn't do anything. Haven't done anything on the client for pass rules.

      It's like the server is not routing to the other side, not even attempting.

      1 Reply Last reply Reply Quote 0
      • G
        gazoo
        last edited by

        Ok, I hadn't added the NAT statement on the server to the remote LAN subnet. I did that, and it still doesn't work. Are there anymore statements anywhere else to add? Do I have to add a tunnel NAT statement or anything?

        1 Reply Last reply Reply Quote 0
        • D
          divsys
          last edited by

          Whoa - before you start adding NAT rules (which usually aren't needed at all) all over the place, let's get a little more info.

          Can you post a simple network diagram of what you're trying to accomplish?

          How did you setup the OpenVPN tunnel, using the Wizard or by hand?

          What versions of pfSense are you running on the client and the server?

          -jfp

          1 Reply Last reply Reply Quote 0
          • G
            gazoo
            last edited by

            No problem..sorry. I read a guide that said I needed the NAT, but it seems I may not.

            Ok, here it goes

            Static, site to site VPN, TUN, peer to peer shared key, AES256CBC,SHA1(160)

            Server:
            tunnel network: 10.10.10.0/30
            IPV4 local network: 192.168.1.0/24
            IPV4 remote network: 192.168.2.0/24

            Client:
            tunnel network: 10.10.10.0/30
            IPV4 local network: 192.168.2.0/24
            IPV4 remote network: 192.168.1.0/24

            From client, can access all of server LAN
            From server, can't access anything at all

            Diagnostics-> routes on server says:
            default         mypublicIP UGS 2438815 1500 sk0
            10.10.10.1 link#14 UHS 0 16384 lo0
            10.10.10.2 link#14 UH 0 1500 ovpns2
            127.0.0.1 link#12 UH 262134 16384 lo0
            192.168.1.0/24 link#6 U 3480458 1500 sk1
            192.168.1.1 mypublicIP UGHS 0 16384 sk0
            192.168.2.0/24 10.10.10.2 UGS 17 1500 ovpns2

            I've taken out a few things from the diagnostics pertaining to a openVPN cert server and some other internal interfaces by the way

            1 Reply Last reply Reply Quote 0
            • D
              divsys
              last edited by

              Are you using Windows machines on the client LAN?

              Have you made sure the Windows firewall(s) aren't blocking traffic?

              -jfp

              1 Reply Last reply Reply Quote 0
              • G
                gazoo
                last edited by

                Yes windows machine, but I'm primarily trying to get into the other pfSense box (client's). But point well taken regarding windows. I have one windows machine, one pfsense, one access point and that's it. Can't get into any of them.

                1 Reply Last reply Reply Quote 0
                • G
                  gazoo
                  last edited by

                  Adding what's in the NAT outbound table, if helpful:

                  NAT.JPG
                  NAT.JPG_thumb

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Anybody know where auto-NAT would be picking up those /30 and /32 networks?  That's certainly oddball.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • D
                      divsys
                      last edited by

                      Hmmmm, I'm with Derelict, there's at least some weird leftovers from something else going on here (or we're missing some other info).

                      It might be worth taking a copy of your current config and resetting to default, then add back the pieces you have configured one at a time to try and diag what's causing the grief

                      If you add back DHCP, then OpenVPN (in that order) you can isolate the problem pretty quickly.

                      Barring that you're stuck adding firewall rules that log particular traffic to see what's happening.

                      In general I would aim for simplifying your setup rather than adding more rules/NAT/etc.

                      The hardest part of OpenVPN S2S links is getting the keys and tunnels configured correctly in my experience.
                      The only associated rule you typically need is an "Allow all" on the OpenVPN interface (Do you have that?)
                      Once you have a tunnel up and traffic passing, it's typically a "fire and forget" setup, they just work.

                      Can you post your Firewall->Rules for the WAN, LAN, and OpenVPN tabs?

                      -jfp

                      1 Reply Last reply Reply Quote 0
                      • G
                        gazoo
                        last edited by

                        the 192.168.1.18x series of addresses are PPTP that's hardcoded to a specific client logins.
                        Correction, 188 is a hardcoded PPTP. My PPTP range is .180-.188, so I don't really know what's up with those.

                        1 Reply Last reply Reply Quote 0
                        • G
                          gazoo
                          last edited by

                          Says it's connected. This is the ovpn status at the server.

                          ovpn2.JPG
                          ovpn2.JPG_thumb

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Haven't done anything on the client for pass rules.

                            For the server to connect to client assets there needs to be pass rules on the OpenVPN tab or Assigned interface tab on the client letting the traffic in from server's LAN.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • G
                              gazoo
                              last edited by

                              @Derelict:

                              Haven't done anything on the client for pass rules.

                              For the server to connect to client assets there needs to be pass rules on the OpenVPN tab or Assigned interface tab on the client letting the traffic in from server's LAN.

                              Ok this must be it then, because I didn't do anything special on the client side. Will have to wait to go over there and do it.

                              1 Reply Last reply Reply Quote 0
                              • G
                                gazoo
                                last edited by

                                Sorry folks, it was a firewall rules. On the client side I had to put allow ALL rules into the OpenVPN firewall tab section. It was already done at the server by virtue of being the server and whatever guide I read. Thanks for the advice.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.