Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN to head office and branch

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 4 Posters 1.9k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Online
      JKnott @JotaGSoares
      last edited by

      @jotagsoares

      Make sure you have the needed routes to get to the branch. The remotes already know how to get to the head office. Is there a route at both ends of the branch VPN for the traffic to get there and back? The remote clients should have a default route to get them to the head office.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @JotaGSoares
        last edited by

        @jotagsoares
        In the access server settings you have to add the branch LAN or at least the single IP, you want to access to the "Local networks" (if you haven't checked "Redirect gateway") to push the route to the clients.

        Additionally in the branch OpenVPN settings add the access server tunnel network to the "Remote networks" to route responses back to the headquarter.

        Ensure that there are firewall rules in place on the involved interfaces that pass the access.

        1 Reply Last reply Reply Quote 0
        • J Offline
          JimCorkery
          last edited by

          I am following this, as I think it is the exact issue I'm having. I see JKnott's and Viragomann's suggestions, but I can't figure out how to actually DO those things. Can you be more specific on how to do this?

          J 1 Reply Last reply Reply Quote 0
          • J Offline
            JimCorkery @JimCorkery
            last edited by

            SOOOO, I think I stumbled on the fix. I'm still trying to get DNS to work across the connections, however IP is working correctly.

            1. Go into your "Interfaces" and enable the OPTs interfaces.
            2. now go into System > Routing > Static Routes. Click ADD.
              Type your destination network (the Other side's IP range. (I.E. 192.168.3.0/24)
              Select the Opt2_VPNV4 gateway (or other if that isn't the corresponding "OPT" of the VPN tunnel.
              Repeat this on the other Router.
              Setup Firewall rules for the OPT2 interfaces on each router to allow all.

            I have made MANY changes trying to figure this out, but I think those were the ones that made the difference.

            P.S. If anyone has advice on handling the DNS / Netbios stuff, I'm all ears.

            V 1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann @JimCorkery
              last edited by

              @jimcorkery
              It's basically not a good idea to add static routes for VPN gateways at all. This should be done by OpenVPN, when the connection is established.
              The OpenVPN settings tab provides the "Remote Networks" field to aim this.

              When you want to access the remote DNS server from local site, you might have add the local network to its ACLs.
              Also consider that you will have to add the domain name, when requesting remote hosts.

              J JKnottJ 2 Replies Last reply Reply Quote 0
              • J Offline
                JimCorkery @viragomann
                last edited by

                @viragomann
                I have a question. My VPN client connected Router A gets a list of DNS servers that I have specifiec in the VPN Server setup. When I do a NSLOOKUP from my command prompt, it uses the DNS on the local network and not the VPN. If I ping the computer name of the file server on the VPN, it doesn't go through, but pinging the IP address works.
                This WAS working, but something that I have done along the way seems to have broken it. Now, if I VPN into Router B) it is working. Go figure.

                V 1 Reply Last reply Reply Quote 0
                • V Offline
                  viragomann @JimCorkery
                  last edited by

                  @jimcorkery
                  To recap, you have a peer-to-peer OpenVPN, the server provides a DNS server list. On a device in the clients LAN you try to resolve host names?
                  What is your client site DNS server?

                  J 1 Reply Last reply Reply Quote 0
                  • JKnottJ Online
                    JKnott @viragomann
                    last edited by

                    @viragomann said in OpenVPN to head office and branch:

                    It's basically not a good idea to add static routes for VPN gateways at all. This should be done by OpenVPN, when the connection is established.
                    The OpenVPN settings tab provides the "Remote Networks" field to aim this.

                    Where do you see that? All I see is pushing routes in the Additional configuration options box, which I don't think would do what is needed. I would also go with adding static routes between the servers, as @JimCorkery is doing. This way, all the client has to know is how to reach the default gateway and let it sort things out.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    V 1 Reply Last reply Reply Quote 0
                    • V Offline
                      viragomann @JKnott
                      last edited by

                      @jknott said in OpenVPN to head office and branch:

                      Where do you see that?

                      Remote Networks?

                      c769637d-52ee-4ba6-ad82-ae82e5412051-grafik.png

                      These fields in the OpenVPN settings are meant to enter networks which OpenVPN should set routes for to the remote endpoint, when connecting.

                      Setting static route may end up in issues, when the connection is down.

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • J Offline
                        JimCorkery @viragomann
                        last edited by

                        @viragomann I have a site to site (peer to peer) VPN. then at each site, I have a Remote Access VPN (for staff to connect into) setup at both ends as well, so clients can connect to their site. Once connected to their site, they should be able to access any of the PCs (Remote Access VPN client to Site A), Site A) LAN PC, across the site to site tunnel to Site B), Site B) LAN PC, and Remote Access VPN Client at Site B) PC.

                        The Ping works. DNS / Netbois doesn't When I remote into Site B), I can Ping a local LAN PC at that site by it's Netbois name. When I VPN into Site A, I cannot now, but I could before. I'm sure I messed up DNS / Domain name setup somewhere. My head is swhirling with all of this, so I can't pin point what setting I messed up.

                        V 1 Reply Last reply Reply Quote 0
                        • JKnottJ Online
                          JKnott @viragomann
                          last edited by

                          @viragomann

                          Finally found that on the Client page. When create a client, such as a notebook computer, I use the Client Export page, which does not have those settings. When I tell someone to use a setting, I also tell them where to find it, as it helps with something as complex as pfsense. Perhaps having "client" in the title for both pages is confusing. Perhaps the "Client" page should be called "Peer to Peer". As the server page also doesn't have that setting, a route will still have to be configured separately on the head office server to reach the VPN off the branch server.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          V 1 Reply Last reply Reply Quote 0
                          • V Offline
                            viragomann @JKnott
                            last edited by

                            @jknott
                            Ahh, I see, you're talking about the client config.
                            As I understood, we are talking about a peer-to-peer here and it should be set up in the GUI. But yes, the "Remote networks" option does no other than set the "route x.x.x.x" directive in the client config.

                            The client export utility is meant to be used for access servers, whose clients get the proper routes pushed by the server anyway.

                            1 Reply Last reply Reply Quote 0
                            • V Offline
                              viragomann @JimCorkery
                              last edited by

                              @jimcorkery
                              NetBIOS is not supported across a peer-to-peer VPN.
                              As mentions you can provide your internal DNS server to the clients in the OpenVPN access server settings, but the clients may need to use FQDNs to access the remote sites, since they are not joined in the remote domain.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.