OpenVPN to head office and branch

JimCorkery

SOOOO, I think I stumbled on the fix. I'm still trying to get DNS to work across the connections, however IP is working correctly.

1. Go into your "Interfaces" and enable the OPTs interfaces.
2. now go into System > Routing > Static Routes. Click ADD.
   Type your destination network (the Other side's IP range. (I.E. 192.168.3.0/24)
   Select the Opt2_VPNV4 gateway (or other if that isn't the corresponding "OPT" of the VPN tunnel.
   Repeat this on the other Router.
   Setup Firewall rules for the OPT2 interfaces on each router to allow all.

I have made MANY changes trying to figure this out, but I think those were the ones that made the difference.

P.S. If anyone has advice on handling the DNS / Netbios stuff, I'm all ears.

viragomann

@jimcorkery
It's basically not a good idea to add static routes for VPN gateways at all. This should be done by OpenVPN, when the connection is established.
The OpenVPN settings tab provides the "Remote Networks" field to aim this.

When you want to access the remote DNS server from local site, you might have add the local network to its ACLs.
Also consider that you will have to add the domain name, when requesting remote hosts.

JimCorkery

@viragomann
I have a question. My VPN client connected Router A gets a list of DNS servers that I have specifiec in the VPN Server setup. When I do a NSLOOKUP from my command prompt, it uses the DNS on the local network and not the VPN. If I ping the computer name of the file server on the VPN, it doesn't go through, but pinging the IP address works.
This WAS working, but something that I have done along the way seems to have broken it. Now, if I VPN into Router B) it is working. Go figure.

viragomann

@jimcorkery
To recap, you have a peer-to-peer OpenVPN, the server provides a DNS server list. On a device in the clients LAN you try to resolve host names?
What is your client site DNS server?

JKnott

@viragomann said in OpenVPN to head office and branch:

It's basically not a good idea to add static routes for VPN gateways at all. This should be done by OpenVPN, when the connection is established.
The OpenVPN settings tab provides the "Remote Networks" field to aim this.

Where do you see that? All I see is pushing routes in the Additional configuration options box, which I don't think would do what is needed. I would also go with adding static routes between the servers, as @JimCorkery is doing. This way, all the client has to know is how to reach the default gateway and let it sort things out.

viragomann

@jknott said in OpenVPN to head office and branch:

Where do you see that?

Remote Networks?

These fields in the OpenVPN settings are meant to enter networks which OpenVPN should set routes for to the remote endpoint, when connecting.

Setting static route may end up in issues, when the connection is down.

JimCorkery

@viragomann I have a site to site (peer to peer) VPN. then at each site, I have a Remote Access VPN (for staff to connect into) setup at both ends as well, so clients can connect to their site. Once connected to their site, they should be able to access any of the PCs (Remote Access VPN client to Site A), Site A) LAN PC, across the site to site tunnel to Site B), Site B) LAN PC, and Remote Access VPN Client at Site B) PC.

The Ping works. DNS / Netbois doesn't When I remote into Site B), I can Ping a local LAN PC at that site by it's Netbois name. When I VPN into Site A, I cannot now, but I could before. I'm sure I messed up DNS / Domain name setup somewhere. My head is swhirling with all of this, so I can't pin point what setting I messed up.

JKnott

@viragomann

Finally found that on the Client page. When create a client, such as a notebook computer, I use the Client Export page, which does not have those settings. When I tell someone to use a setting, I also tell them where to find it, as it helps with something as complex as pfsense. Perhaps having "client" in the title for both pages is confusing. Perhaps the "Client" page should be called "Peer to Peer". As the server page also doesn't have that setting, a route will still have to be configured separately on the head office server to reach the VPN off the branch server.

viragomann

@jknott
Ahh, I see, you're talking about the client config.
As I understood, we are talking about a peer-to-peer here and it should be set up in the GUI. But yes, the "Remote networks" option does no other than set the "route x.x.x.x" directive in the client config.

The client export utility is meant to be used for access servers, whose clients get the proper routes pushed by the server anyway.

viragomann

@jimcorkery
NetBIOS is not supported across a peer-to-peer VPN.
As mentions you can provide your internal DNS server to the clients in the OpenVPN access server settings, but the clients may need to use FQDNs to access the remote sites, since they are not joined in the remote domain.