OpenVPN status UP, but can not ping

nhanyeudoi

Hey Guys
First, I have to sorry for my English.
I'm new to pfsense. I'm got stuck with this issue now: "OpenVPN status UP, but can not ping".
Both side has Firewall rules on Wan like this in the attached screen shot
Both on pc from both side has firewalls settings to "Turn off"
And I can't see anything wear in System log at Firewall or OpenVPN.
Any help will be grateful

viragomann

You have different encryption setting at server and client. Obviously you have made changes on server after exporting the client config.
Export the client config again.

nhanyeudoi

@viragomann:

You have different encryption setting at server and client. Obviously you have made changes on server after exporting the client config.
Export the client config again.

I did try to export client again and paste the TLS key into client side set up. Still can not ping though the Status ->OpenVPN still "UP".
Now when I look more careful I can see that in the Firewall System logs has these line. I thought that I'm missing something in firewall rules but what exactly that I need?
Anw, tks so much for your reply viragomann


viragomann

Okay.
You try to ping from vpn client to where? LAN host?
Do the client get the route pushed for the LAN subnet? If yes, check this in the clients routing table.
Can you ping the vpn server address and pfSenses LAN address?

If you have further trouble to resolve that, post your server config and the clients routing table and tell us which OS is running on the client.

nhanyeudoi

@viragomann:

Okay.
You try to ping from vpn client to where? LAN host?

I'm trying to ping from pc of server side to pc on client side but can not.
I can ping from PC0 -> pfsense1 -> 192.168.0.120 (wanIP pfsense2)
I can ping from PC1 -> pfsense2 -> 192.168.0.118 (wanIP pfsense1)
I can ping from Pfsense1 -> Pfsense2 -> pc1
I can ping from Pfsense2 -> Pfsense1 -> pc0

Can not from PC0 -> PC1

Do the client get the route pushed for the LAN subnet? If yes, check this in the clients routing table.
Can you ping the vpn server address and pfSenses LAN address?

If you have further trouble to resolve that, post your server config and the clients routing table and tell us which OS is running on the client.

Sorry but I really don't know how to check this and what you meaning about "server config and clients routing table". "Such a stupid guy" I know, I know but that's why I'm so appreciate for your endurance up to now. I'm running all these pfsense and pc on VMware for testing now.

nhanyeudoi

And for more information
In Firewall rules Wan I pass any/any and at OpenVPN any/any rules too. is there more easy for running test?
I can ping from Pfsense1 -> Pfsense2 -> pc1
I can ping from Pfsense2 -> Pfsense1 -> pc0
And please take a look at the 3rd picture is this the client routing tables that you talking about?


viragomann

So you are running a site-to-site vpn connection, I assume.
For correct routing you have to enter the server side LAN subnet at IPv4 "Local Network/s" and the clients LAN subnet at "IPv4 Remote Network/s", both in the server config.
Also if you want to access a client site host, you have to add a firewall rule to the clients openVPN interface to permit it.

If that doesn't work you must provide more detail of your network. What is the server site LAN subnet, what's clients?
Have you added any NAT rule for vpn?
On the basis of your last picture of clients routing table, I assume the 192.168.33.0/24 is your server sites LAN, right? Post also the servers routing table.

nhanyeudoi

@viragomann:

So you are running a site-to-site vpn connection, I assume.

Exactly mate, that's what i am doing.

For correct routing you have to enter the server side LAN subnet at IPv4 "Local Network/s" and the clients LAN subnet at "IPv4 Remote Network/s", both in the server config.
Also if you want to access a client site host, you have to add a firewall rule to the clients openVPN interface to permit it.

For more clearly: On the pfsense server site, I have tunnel Network is 192.168.233.0/24, local network is 192.168.33.0/24, remote network is 192.168.44.0/24
On the pfsense client site I have tunnel Network is 192.168.233.0/24, remote network is 192.168.33.0/24.
Both Firwall rules in server and client site have any/any rules in Wan and OpenVPN
Is that corrected?

If that doesn't work you must provide more detail of your network. What is the server site LAN subnet, what's clients?
Have you added any NAT rule for vpn?
On the basis of your last picture of clients routing table, I assume the 192.168.33.0/24 is your server sites LAN, right? Post also the servers routing table.

The server site Lan subnet is 192.168.33.0/24 and the client site subnet is 192.168.44.0/24.
I haven't add any Nat rules for VPN.




viragomann

Your routing tables looks okay. However, ping from PC0 to PC1 will only work if both pfSense are the default gateways for the LAN host. If tis isn't given you will either have to add routes to the hosts to direct traffic destined for the other site to pfSense or you do nat.

nhanyeudoi

@viragomann:

Your routing tables looks okay. However, ping from PC0 to PC1 will only work if both pfSense are the default gateways for the LAN host.

Now, when I set the default gateway for any host from both side is the pfsense at that side, the ping become "Unreachable". Before set that Default gateway when ping will be "Request time out".

If tis isn't given you will either have to add routes to the hosts to direct traffic destined for the other site to pfSense or you do nat.

It would be very nice if you can help me about this. Can you more clearly or step by step instruct for me, please

viragomann

Go to Firewall > NAT > Outbound. If it if set to automatic rules configuration, check hybrid and hit save the button.
Add a rule by click "+":
Interface: LAN
Protocol: any
Source: 192.168.233.0/24 (the vpn tunnel network)
Destination: any
Translation: Interface address

Do this at each site you want to reach. So if you want to reach PC0 from PC1 and vice versa, add this rule at both, client and server.

nhanyeudoi

@viragomann:

Go to Firewall > NAT > Outbound. If it if set to automatic rules configuration, check hybrid and hit save the button.
Add a rule by click "+":
Interface: LAN
Protocol: any
Source: 192.168.233.0/24 (the vpn tunnel network)
Destination: any
Translation: Interface address

Do this at each site you want to reach. So if you want to reach PC0 from PC1 and vice versa, add this rule at both, client and server.

As it's really clearly and easy to follow but the result is nothing change. still "request time out". And don't know if this help but when I check and restart the Open VPN in Status-Open VPN I can see that NTPD service is stopped. Any concern with the reason why I can not ping?
I'm so disappointed now because for few days and I'm still stucking here. Thank you very very very much for your help viragomann

viragomann

The NTP service will not relate to this issue.

Let's go to troubleshooting. Take a packet capture (Diagnostic menu > Packet Capture). At server and client select LAN interface and at Protocol ICMP and hit start below. Then start the ping.
If you see nothing at on site, select OpenVPN interface and repeat it.
Post the output.