Create an Outbound route - Client to Site

chlfigueiredo · Dec 9, 2023, 5:23 PM

Hello everyone, I have my first real project and I'm having difficulty finishing it, but they are already charging me, if anyone can help me I'll be very grateful for the help, I'll describe the scenario below:

[ The client who hired me has a partnership with a clinic that provides an application for them to use, but the clinic does not allow them to access it directly in their environment, for this reason I had to create an IPSec VPN to access the application's shared location ]

I configured an IPSec in the environment to connect the client with the clinic, all employees within the Network are working normally via the IPSec VPN, however my client has employees who work from home... so I created an openvpn connection so that They connect to pfsense, which is also working, but they cannot access the clinic's application.

I'm not able to configure this route so that employees who are connected via openvpn can use the clinic's application... which is a host that has a shared folder at IP 192.168.20.15, can anyone help me?

viragomann · Dec 9, 2023, 5:35 PM

@chlfigueiredo
Add 192.168.20.15/32 to the "local networks" in the OpenVPN server settings.
Then add an additional IPsec phase 2 to both endpoints for the OpenVPN access server tunnel network.

chlfigueiredo · Dec 9, 2023, 6:03 PM

@viragomann
Hi Viragomann, I'm sorry, would it be to create a rule in the openvpn tab, this first one, and the second would be what is in the image below?

🔒 Log in to view

viragomann · Dec 9, 2023, 6:45 PM

@chlfigueiredo
I was talking about an OpenVPN server setting as mentioned.
The access must also be permitted by the firewall naturally.

chlfigueiredo · Dec 9, 2023, 6:56 PM

@viragomann

viragomann thank you very much, it worked here... it's already working

JKnott · Dec 9, 2023, 9:39 PM

@chlfigueiredo said in Create an Outbound route - Client to Site:

which is a host that has a shared folder at IP 192.168.20.15

That's a problem, as you appear to use the same subnet on the right hand LAN. When doing routing like this, you have to examine from the perspective of the source. How does it reach the destination. In your example, it has the left pfSense for the default route, which is fine, as it should know the route to the right hand network and it would if you didn't use the same subnet on two locations. The routers don't know which way to send packets for that subnet.

JKnott · Dec 9, 2023, 9:45 PM

@viragomann said in Create an Outbound route - Client to Site:

Add 192.168.20.15/32 to the "local networks" in the OpenVPN server settings.

How does the right side network know how to reach that user? This is a perfect example of why using the same subnet for 2 networks is a bad idea.

BTW, several years ago I used to do a lot of travelling with my work. I'd find myself in a hotel somewhere, unable to reach my home network, as it was the same subnet as the hotel. After running into that a couple of times, I decided to move my home network to 172.16.0.0 /24, as I had only once seen anything in 172.16 used elsewhere.