[SOLVED] Site to site with vps server
-
Good evening to you all!
I have the following topology for my vpn:192.168.100.10 192.168.101.21 +-------+ +-------+ | | 192.168.100.1 10.8.0.1 192.168.101.1 | | | CL1 +-------+ +----------+ +----------+ +-----------+ +---+ CL3 | | | +--------+ | | | | +----+ | | +-------+ | pfsense1 +---------+ OvpnSrv +----------+ pfsense2 | +-------+ +-------+ +--------+ | | | | +----+ +-------+ | | | +----------+ +----------+ +-----------+ | | | | CL2 +-------+ public_ip: 11.22.33.44 +---+ CL4 | | | | | +-------+ +-------+ 192.168.100.11 192.168.101.22
This is my server.conf
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/keys/dh4096.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir ccd route 192.168.100.0 255.255.255.0 route 192.168.101.0 255.255.255.0 client-to-client push "route 192.168.100.0 255.255.255.0" push "route 192.168.101.0 255.255.255.0" keepalive 10 120 tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 comp-lzo user openvpn_server group nogroup persist-key persist-tun status openvpn-status.log verb 3 cipher AES-256-CBC auth SHA512 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
From CL1 I can ping pfsense2 but not CL3 or CL4.
Same on the other side:
from CL3 I can ping pfsense1 but not CL1 or CL2I'm very noob in pfsense and networking, but I think I have to configure rules or nat or something similar in pfsense 1 and 2.
Tanks -
Why you push both sites LAN subnet to the VPN client?
You haven't mentioned which site is the server and which is the client. But no matter, just enter the other sites LAN subnet in the "IPv4 Remote Networks" box in server and the client settings, no other.
-
Very tanks for reply.
The server is ovpnsrv that is a linode vps.
Pfsense1 and pfsense2 are both clients.
There are others vps that are openvpn clients in linode cloud: i want that all can see pfsense1 and pfsense2 subnet.Your answer is valid however?
Tanks -
I see. I didn't notice the server in the middle of your graphic.
Yes, my answer above is valid anyway. But on the server you need also the iroute command for each client. Have you set these?
-
Thanks for the support!
After your advice routing was ok, but clients that are behind pfsense respond only to the ping…
no http, no ssh, nothing!!!!
I thought it was some sort of firewall rule, but the problem was that pfsense is on a VM (kvm on very old proxmox1.9):
solved with this
https://doc.pfsense.org/index.php/VirtIO_Driver_SupportTanks