PfSense OpenVPN Site-to-Site – Client Not Connecting Troubleshooting

openvpnpfsensesite-to-site-vpn

I am trying to connect pfsense openvpn site to site (peer to peer shared key), but upto now I could not found any traffic between client and server.

openvpn server log

Listening for incoming TCP connection on [AF_INET]192.168.1.5:1194

openvpn client log

TCP: connect to [AF_INET]192.168.1.5:1194 failed, will try again in 5 seconds: Host is down

apart from firwall rule(WAN + OpenVpn) anything we need to configure in client side.

I followed the same firewall rule for both server and client

firewall -> rule -> WAN

firewall -> rule -> OpenVpn

Note: If you need more info please mention in comment.

when I see the status of the openvpn it is look like below (it is running)

Best Answer

Guessing maybe you still have block private networks enabled on WAN? If you're connecting in from 192.168.1.x at least, and WAN is really a LAN in your case.

On an unrelated note, it's always preferable to use UDP for VPNs unless TCP is required for some reason (can't pass UDP between client and server).

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Here's what may be an issue. Imagine you have following network:

address pool: 10.1.1.0/255.255.255.0
router: 10.1.1.1
internal interface on internal vpn server: 10.1.1.2
some external machine that VPNs to network: 10.2.2.2
some internal client machine: 10.1.1.90

When you trying to access SIC from external VPN box, then traffic route goes like this:

10.2.2.2
vpn (internet)
10.1.1.2
10.1.1.90
OK

Seems fine, HOWEVER, in order for traffic to flow, the 10.1.1.90 machine should be able to respond and that means that packets from it must be routable to 10.2.2.2 too. Internal client has obviously ip: 10.1.1.90, mask: 255.255.255.0 and router: 10.1.1.90. Therefore, packets would be routed like this:

10.1.1.90
10.1.1.1 (sine it is router, and 10.2.2.2 is not directly addressable)
internet
NOT FOUND

Basically, reply packets will not even reach VPN. What can you do? Obviously, what will work is to add route to internal client to route all packets to 10.2.2.2 not to VPN box instead of router, such as (Windows box):

route add 10.2.2.0 mask 255.255.255.0 10.1.1.2

this will resolve the problem on single-machine level. Reply packets will go:

10.1.1.90
10.1.1.2 (explicit route)
vpn (internet)
10.2.2.2

To resolve issue on the network level, you must modify router in a same matter to redirect all traffic going to 10.2.2.0 to 10.1.1.2. This way reply packet will go:

10.1.1.90
10.1.1.1
10.1.1.2
vpn (internet)
10.2.2.2

Another solution is: make your VPN box to NAT on 10.1.1.2 interface. This way for internal machines it will look as if all the traffic originates from 10.1.1.2, and replies will go to 10.1.1.2. I would advise to go through routing though, since NAT will require additional resources on VPN box for connection tracker

Openvpn – pfsense peer-to-peer OpenVPN not connecting

Most likely because the client can't communicate with the server on UDP 1194. Why, there are a number of possibilities to check, two most common:

no firewall rule permitting the traffic
1:1 NAT or port forward forwarding that traffic somewhere else

Best Answer

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Openvpn – pfsense peer-to-peer OpenVPN not connecting

Related Topic