Cannot ping client thru vpn



  • Hello
    sorry for my english
    are trying to set up openvpn between pfsense (server) and dd-wrt v24 (client)
    tunnel is up and client can access the server and lan pc
    BUT server cannot ping and access client
    seems to be a routing problem
    use UDP on port 1194 with PKI (also test with shared key)

    so here

    • netstat -rn (from client)
      172.16.1.5 =>0.0.0.0
      172.16.1.1=>172.16.1.5
      192.168.1.0 => 0.0.0.0 (client lan adress)
      192.168.0.1=>172.16.1.5 (server lan adress)

    -netstat -rn (from server pfsense)
    172.16.1/24 => 172.16.1.2
    172.16.1.2 => 172.16.1.1
    192.168.1 => 172.16.1.2

    i don't know why the tunnel have not same endpoint at both side
    BUT i can ping on both side (server and client) 172.16.1.1 and 172.16.1.6 ???
    ping of 172.16.1.2 don't work on both side !

    anybody can help please !
    for me, should add a route 192.168.1.0 => 172.16.1.6 ???



    • server logs
      /etc/rc.filter_configure tun0 1500 1542 172.16.1.1 172.16.1.2 init
      /sbin/ifconfig tun0 172.16.1.1 172.16.1.2 mtu 1500 netmask 255.255.255.255 up

    • client dd-wrt log error
      Linux route add command failed: shell command exited with error status: 255
      /sbin/ifconfig tun0 172.16.1.6 pointopoint 172.16.1.5 mtu 1500

    maybe i should use static ip ?



  • Can you draw a diagram of what is where?
    Honestly i dont know which IP-range you have where.

    Also i would use for a site-to-site a shared key and not a PKI.
    With a PKI the client gets an IP dynamically.
    You would have to set a client specific config on the server to add a route to the client for the subnet on the client side.

    This works, but i dont lke such a solution.

    With a shared key you enter the routes and IP's on both sides statically.



  • Hello

    You would have to set a client specific config on the server to add a route to the client for the subnet on the client side.

    you are right, with this config i can access remote client !

    all working now !

    With a shared key you enter the routes and IP's on both sides statically.

    what is the advantage of using static route ? can we do more restrict rules to access the pfsense LAN ?
    using PKI with static routes is not possible ?

    i am ready to find the best solution to restrict client access to some area on my LAN !
    thanks for help !



  • No you cannot restrict access to the LAN with OpenVPN.
    It's not (yet) possible to create firewall rules for the virtual OpenVPN Interface.
    If you need that you should set up a IPSEC VPN, since you can create firewall rules for the IPSEC interface.

    For the question PKI or shared key:
    A PKI is intended for roadwarriors.
    A shared key is intended for site-to-site.

    With a PKI you do all the configuration on the server.
    In a PKI there can be many clients.
    So it can be a bit problematic if one of these clients represents a whole network.
    That for you need the client specific configurations to add route on the server to this client.

    With a shared key you have a config file on both sides.
    Meaning the client has the routes on what lies on the other side of the tunnel in it's own config file.

    In my opinion it's not so good to mix different solutions for different tasks.

    With a shared key you enter the routes and IP's on both sides statically.

    what is the advantage of using static route ? can we do more restrict rules to access the pfsense LAN ?
    using PKI with static routes is not possible ?

    What i mean here is not that you add manually static routes.
    What i mean is that you set the routes in the OpenVPN config statically.
    OpenVPN itself then adds these routes dynamically to the routingtable when the tunnel comes up, and removes then when the tunnel goes down.



  • Hello
    thanks for explanation
    my other site have only one computer so maybe it could consider as roadwarrior connection.

    i will test different solution.
    i choose PKI cause it look like more secure
    dd-wrt config with PKI use gui , shared key use script ;-)
    PKI allow client-to-client connection ( i think) but not tested yet !

    i hope have not to use IPSEC for firewall rules over vpn !
    so maybe i should contribute to the project to stay using openvpn…


Log in to reply