Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Cannot ping client thru vpn

    OpenVPN
    2
    6
    4003
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hrun last edited by

      Hello
      sorry for my english
      are trying to set up openvpn between pfsense (server) and dd-wrt v24 (client)
      tunnel is up and client can access the server and lan pc
      BUT server cannot ping and access client
      seems to be a routing problem
      use UDP on port 1194 with PKI (also test with shared key)

      so here

      • netstat -rn (from client)
        172.16.1.5 =>0.0.0.0
        172.16.1.1=>172.16.1.5
        192.168.1.0 => 0.0.0.0 (client lan adress)
        192.168.0.1=>172.16.1.5 (server lan adress)

      -netstat -rn (from server pfsense)
      172.16.1/24 => 172.16.1.2
      172.16.1.2 => 172.16.1.1
      192.168.1 => 172.16.1.2

      i don't know why the tunnel have not same endpoint at both side
      BUT i can ping on both side (server and client) 172.16.1.1 and 172.16.1.6 ???
      ping of 172.16.1.2 don't work on both side !

      anybody can help please !
      for me, should add a route 192.168.1.0 => 172.16.1.6 ???

      1 Reply Last reply Reply Quote 0
      • H
        hrun last edited by

        • server logs
          /etc/rc.filter_configure tun0 1500 1542 172.16.1.1 172.16.1.2 init
          /sbin/ifconfig tun0 172.16.1.1 172.16.1.2 mtu 1500 netmask 255.255.255.255 up

        • client dd-wrt log error
          Linux route add command failed: shell command exited with error status: 255
          /sbin/ifconfig tun0 172.16.1.6 pointopoint 172.16.1.5 mtu 1500

        maybe i should use static ip ?

        1 Reply Last reply Reply Quote 0
        • GruensFroeschli
          GruensFroeschli last edited by

          Can you draw a diagram of what is where?
          Honestly i dont know which IP-range you have where.

          Also i would use for a site-to-site a shared key and not a PKI.
          With a PKI the client gets an IP dynamically.
          You would have to set a client specific config on the server to add a route to the client for the subnet on the client side.

          This works, but i dont lke such a solution.

          With a shared key you enter the routes and IP's on both sides statically.

          1 Reply Last reply Reply Quote 0
          • H
            hrun last edited by

            Hello

            You would have to set a client specific config on the server to add a route to the client for the subnet on the client side.

            you are right, with this config i can access remote client !

            all working now !

            With a shared key you enter the routes and IP's on both sides statically.

            what is the advantage of using static route ? can we do more restrict rules to access the pfsense LAN ?
            using PKI with static routes is not possible ?

            i am ready to find the best solution to restrict client access to some area on my LAN !
            thanks for help !

            1 Reply Last reply Reply Quote 0
            • GruensFroeschli
              GruensFroeschli last edited by

              No you cannot restrict access to the LAN with OpenVPN.
              It's not (yet) possible to create firewall rules for the virtual OpenVPN Interface.
              If you need that you should set up a IPSEC VPN, since you can create firewall rules for the IPSEC interface.

              For the question PKI or shared key:
              A PKI is intended for roadwarriors.
              A shared key is intended for site-to-site.

              With a PKI you do all the configuration on the server.
              In a PKI there can be many clients.
              So it can be a bit problematic if one of these clients represents a whole network.
              That for you need the client specific configurations to add route on the server to this client.

              With a shared key you have a config file on both sides.
              Meaning the client has the routes on what lies on the other side of the tunnel in it's own config file.

              In my opinion it's not so good to mix different solutions for different tasks.

              With a shared key you enter the routes and IP's on both sides statically.

              what is the advantage of using static route ? can we do more restrict rules to access the pfsense LAN ?
              using PKI with static routes is not possible ?

              What i mean here is not that you add manually static routes.
              What i mean is that you set the routes in the OpenVPN config statically.
              OpenVPN itself then adds these routes dynamically to the routingtable when the tunnel comes up, and removes then when the tunnel goes down.

              1 Reply Last reply Reply Quote 0
              • H
                hrun last edited by

                Hello
                thanks for explanation
                my other site have only one computer so maybe it could consider as roadwarrior connection.

                i will test different solution.
                i choose PKI cause it look like more secure
                dd-wrt config with PKI use gui , shared key use script ;-)
                PKI allow client-to-client connection ( i think) but not tested yet !

                i hope have not to use IPSEC for firewall rules over vpn !
                so maybe i should contribute to the project to stay using openvpn…

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy