Openvpn ping and routing issue

  • Hello all I have this configuration:

    pc with ip
    office lan:
    pfsense 2.2.4 internal ip external
    gateway with ip
    several openvpn client with different network

    I'm trying to configure openvpn with this features:

    • from the office lan I need to access to 8080 port of each remote client
    • every remote client must have an unique ip (using client specific overrides)

    I have configured the with this network

    The remote client can connect (i.e. correctly but I can't ping it from the server side.
    I can't understand if I have to configure the opt interface: if i left ovpns1 unassigned and I try to ping the client I see in the client side the ping request (but with "no response found" error)
    If I assing ovpns1 to opt1 I see that the default route for every address became and so it's wrong.

    1- which special parameters I have to configure to the openvpn server ?
    2- I have to configure opt1 or not ? Why the gateway go wrong if I configure it ?

    excuse of may english
    every suggestions are welcome

  • LAYER 8 Global Moderator

    Ok so you have a road warrior connecting into your pfsense (openvpn server)?

    And you want to be able to ping that remote client.. Well most likely that is firewall on your remote client blocking that, unless you have modified rules on your pfsense interface the box behind pfsense is getting to pfsense with.

    So for example.. I am vpn'd my home pfsense box.. I rdp to a box on that lan, from there I can ping my remote client


    Pinging with 32 bytes of data:
    Reply from bytes=32 time=144ms TTL=127
    Reply from bytes=32 time=123ms TTL=127
    Reply from bytes=32 time=155ms TTL=127
    Reply from bytes=32 time=160ms TTL=127

    Ping statistics for
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 123ms, Maximum = 160ms, Average = 145ms

    You really should not have to do anything special here..

  • Thank you.. yes should be easy.
    I tried again starting from scratch (new installation), I used the wizard for build the openvpn configuration.

    Once created the connection I started in the client pc wireshark and I see che ping request (so I don't think is a firewall problem)
    In wireshark I see in the icmp packet with src (my pc in the office lan) and des with "no response found !" message

    PING ( 56 data bytes
    Request timeout for icmp_seq 0
    Request timeout for icmp_seq 1

    same problem from the firewall itself
    PING ( 56 data bytes
    --- ping statistics ---
    19 packets transmitted, 0 packets received, 100.0% packet loss

    In wireshark I see in the icmp packet with src and des with "no response found !" message

    I have the same problem with different client (windows and linux ) in two different network.
    I think it's a routing problem

  • Are the routs for LAN pushed to the clients correctly? You have to enter your LAN network ( in IPv4 Local Network/s to do so.

  • yes I put in IPv4 Local Network/s

    this is my server configuration file located in /var/etc/openvpn of pfsense:

    dev ovpns1
    verb 3
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp
    cipher BF-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-config-dir /var/etc/openvpn-csc
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'internalserverce' 1 "
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route"
    ca /var/etc/openvpn/
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    comp-lzo adaptive

    probably there is something wrong but I not understand what

  • The config seems to be okay, but what shows the routing table at the client if connection is established?
    Maybe an equal subnet there on an interface?

  • LAYER 8 Global Moderator

    Where do you wireshark??  At pfsense you see the icmp go down the tunnel, but no response.. Are you sniffing at the client, most likely as stated before firewall on the client..

  • Just to ask the obvious simple question:

    If these are Windows machines, have you made sure the internal firewalls are not blocking "foreign" subnets (perhaps turn them off for testing purposes)?

    Have you tried pinging something easier (like a network printer) instead?

Log in to reply