OpenVPN site to site two way communication

[jaj1105]

Hi all,

I have installed an site to site OpenVPN between to Opnsense (peer to peer SSL/TLS).

Client side have access to the server local network, Server side local network dont have access to client network.

Do you know how i can solved that ?

Best regards

[bartjsmit]

since it works one way, routing is likely okay. Look for firewall rule denies on both sides. Firewall: Log Files

[jaj1105]

Hi Bartjsmit,

I dont have firewall deny on the both side. When i make a traceroute to the ip of the client opnsense, the route go to the wan and ISP.

I dont understand why.

Best regards

[bartjsmit]

When i make a traceroute to the ip of the client opnsense, the route go to the wan and ISP.

The device that you are running traceroute on (the client?) does not have a end-to-end route across the tunnel. For every hop in the path that you want to use do this:

- check the routing table
- does it have a route to the destination subnet?
- if not check its default gateway

On those hops where you don't have a route in the right direction, the default route will take you out to the internet. Add a static route there and continue checking.

Do this for all the hops in the path, then do it again for the path going back to your client.

Bart...

[jaj1105]

Thanks, i have check and make some screenshot.

You see something wrong ?

Best regards

[bartjsmit]

You need to check on devices other than your firewall. Most systems show the routing table with this command: netstat -r

Bart...

[jaj1105]

Hi Bart,

I make a screenshot of the client + server netstat -r. The client is up and server down.

Everything like good, i see a route for the network of other side in each.

I dont understand the problem :'(

Best regards,

Joseph

[bartjsmit]

The next step is to do packet captures and analyse them with Wireshark
Interfaces: Diagnostics: Packet Capture

[jaj1105]

Thanks i will try

[echoxxzz]

I have the exact same problem.

I disabled the firewall packet inspection on both firewalls to rule out that it's a firewall rule and that didn't help.

If the client vpn can ping the server vpn lan interface the the routes have to be correct or else the server would not have the correct route to reply back to the client.

There is nothing in any firewall log or any log for that matter indicating why traffic going to the client site is being blocked.

I have never had an issue setting up OpenVPN site to site VPNs on other platforms but on those platforms I'm not locked into a GUI interface.

[echoxxzz]

I tried the advice of using the packet capture.

I logged into the server via SSH and tried to ping the client vpn's LAN interface. I see the icmp packet leaving the server on the ovpns1 interface but on the client vpn i never see it arrive on the ovpnc1 interface.

If I log into the client vpn firewall via SSH and I ping the server vpn LAN interface I see the icmp-request and icmp-reply packets on both firewalls.

Is something broken in OpenVPN?

[echoxxzz]

It's definitely something in the way OPNsense is creating the server vpn conf file because I copied my configs that I wrote by hand that I use on OpenWRT to each Opnsense server and it works perfectly and I can now ping devices in the client network from the server network.

[echoxxzz]

OMG I finally got it working!!

I entered the certificate's Description not it's CN in the client specific override. Once I fixed this it all started working.

I'm still not used to subnet topology (all my configs use net30) so I will need to do some more reading to get my head around what exactly is going on here.

jaj1105 if you followed the example on the Opnsense documentation I am pretty certain you have the same problem. You need to either fix the CSO or create one if you didn't.