Openvpn client not route traffic from other interface

zeliko

Hello everyone,
I have this setup on my PFSENSE:

int wan --> 192.168.0.2
int lan --> 10.10.110.0/24
int OFFICE ( vlan xxx ) --> 10.10.111.0/24
Virtual ip OpenVPN --> 10.8.0.x/24

LAN-OpenVPN --> 172.16.7.0/24

I have configured my openvpn client, which connects successfully. From the LAN interface, I can ping the client's network, but from the OFFICE interface, I can't.

Ping from LAN to LAN-OpenVPN --> Ok
Ping from OpenVpn to VirtualIP OpenVpnClient --> OK

Ping from OFFICE to VirtualIP OpenVpnClient --> OK
Ping from OFFICE to OpenVpnClient-GW ---> FAIL
Ping from OFFICE to LAN-OpenVPN --> FAIL

The routing appears to be correct.

viragomann

@zeliko said in Openvpn client not route traffic from other interface:

LAN-OpenVPN --> 172.16.7.0/24

Is this the local network of the OpenVPN client?
And if so, you want to access this network from your LAN and Office?

Is the peer-to-peer OpenVPN or an access server?

zeliko

@viragomann
Yes, I have multiple lan connected to VPN.
Is an Openvpn access server.

viragomann

@zeliko
So you have configure a CSO (VPN > OpenVPN > Client Specific Overrides) for that client you want to access the LAN behind.

You need to specify at least the server, the Common Name (common name of the client's certificate or the user name. Consider to set "Username as Common Name" in the server settings properly.) and the client's LAN in IPv4 Remote Network/s.

zeliko

@viragomann
Hello,
I have set the options described but nothing changes.
the pc connected on the LAN not get the route for vpn lan.

While the route is correctly set to PFSENSE:

route -n get 172.16.7.20
route to: 172.16.7.20
destination: 172.16.7.0
mask: 255.255.255.0
gateway: 10.8.0.1
fib: 0
interface: ovpnc1

viragomann

@zeliko said in Openvpn client not route traffic from other interface:

While the route is correctly set to PFSENSE:
route -n get 172.16.7.20
route to: 172.16.7.20
destination: 172.16.7.0
mask: 255.255.255.0
gateway: 10.8.0.1

If the route was set correctly it would point to the clients IP. I doubt that this is 10.8.0.1.

So possibly the CSO is not applied due to wrong configuration.
The OpenVPN log show if it is applied, when establishing the connection.

zeliko

@viragomann
Hello,
I finally found the error. The NAT of the local interface on the VPN interface was missing!