Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot ping client thru vpn

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      hrun
      last edited by

      Hello
      sorry for my english
      are trying to set up openvpn between pfsense (server) and dd-wrt v24 (client)
      tunnel is up and client can access the server and lan pc
      BUT server cannot ping and access client
      seems to be a routing problem
      use UDP on port 1194 with PKI (also test with shared key)

      so here

      • netstat -rn (from client)
        172.16.1.5 =>0.0.0.0
        172.16.1.1=>172.16.1.5
        192.168.1.0 => 0.0.0.0 (client lan adress)
        192.168.0.1=>172.16.1.5 (server lan adress)

      -netstat -rn (from server pfsense)
      172.16.1/24 => 172.16.1.2
      172.16.1.2 => 172.16.1.1
      192.168.1 => 172.16.1.2

      i don't know why the tunnel have not same endpoint at both side
      BUT i can ping on both side (server and client) 172.16.1.1 and 172.16.1.6 ???
      ping of 172.16.1.2 don't work on both side !

      anybody can help please !
      for me, should add a route 192.168.1.0 => 172.16.1.6 ???

      1 Reply Last reply Reply Quote 0
      • H Offline
        hrun
        last edited by

        • server logs
          /etc/rc.filter_configure tun0 1500 1542 172.16.1.1 172.16.1.2 init
          /sbin/ifconfig tun0 172.16.1.1 172.16.1.2 mtu 1500 netmask 255.255.255.255 up

        • client dd-wrt log error
          Linux route add command failed: shell command exited with error status: 255
          /sbin/ifconfig tun0 172.16.1.6 pointopoint 172.16.1.5 mtu 1500

        maybe i should use static ip ?

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG Offline
          GruensFroeschli
          last edited by

          Can you draw a diagram of what is where?
          Honestly i dont know which IP-range you have where.

          Also i would use for a site-to-site a shared key and not a PKI.
          With a PKI the client gets an IP dynamically.
          You would have to set a client specific config on the server to add a route to the client for the subnet on the client side.

          This works, but i dont lke such a solution.

          With a shared key you enter the routes and IP's on both sides statically.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • H Offline
            hrun
            last edited by

            Hello

            You would have to set a client specific config on the server to add a route to the client for the subnet on the client side.

            you are right, with this config i can access remote client !

            all working now !

            With a shared key you enter the routes and IP's on both sides statically.

            what is the advantage of using static route ? can we do more restrict rules to access the pfsense LAN ?
            using PKI with static routes is not possible ?

            i am ready to find the best solution to restrict client access to some area on my LAN !
            thanks for help !

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG Offline
              GruensFroeschli
              last edited by

              No you cannot restrict access to the LAN with OpenVPN.
              It's not (yet) possible to create firewall rules for the virtual OpenVPN Interface.
              If you need that you should set up a IPSEC VPN, since you can create firewall rules for the IPSEC interface.

              For the question PKI or shared key:
              A PKI is intended for roadwarriors.
              A shared key is intended for site-to-site.

              With a PKI you do all the configuration on the server.
              In a PKI there can be many clients.
              So it can be a bit problematic if one of these clients represents a whole network.
              That for you need the client specific configurations to add route on the server to this client.

              With a shared key you have a config file on both sides.
              Meaning the client has the routes on what lies on the other side of the tunnel in it's own config file.

              In my opinion it's not so good to mix different solutions for different tasks.

              With a shared key you enter the routes and IP's on both sides statically.

              what is the advantage of using static route ? can we do more restrict rules to access the pfsense LAN ?
              using PKI with static routes is not possible ?

              What i mean here is not that you add manually static routes.
              What i mean is that you set the routes in the OpenVPN config statically.
              OpenVPN itself then adds these routes dynamically to the routingtable when the tunnel comes up, and removes then when the tunnel goes down.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • H Offline
                hrun
                last edited by

                Hello
                thanks for explanation
                my other site have only one computer so maybe it could consider as roadwarrior connection.

                i will test different solution.
                i choose PKI cause it look like more secure
                dd-wrt config with PKI use gui , shared key use script ;-)
                PKI allow client-to-client connection ( i think) but not tested yet !

                i hope have not to use IPSEC for firewall rules over vpn !
                so maybe i should contribute to the project to stay using openvpn…

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.