Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN to OPT1

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    7
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      plaap
      last edited by

      Hi,

      I have succesfully setup an openvpn tunnel for road warriors. I can connect to the pfsense box and access the lan net. However I can't to connect to the subnet behind OPT1.

      Config:
      LAN : 10.0.0.0/24
      OPT1 : 10.1.0.0/16
      OpenVPN : 10.100.0.0/24

      I tried : "push 10.1.0.0 255.255.0.0" but this didn't work. Also I can ping from the client to the openvpn server address.

      Are there any special rules to apply? I thought there weren't any special fw rules for openvpn. Or am I missing something huge? :)

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Is this a PKI or PSK setup?

        In a PKI you're right to add the push 10.1.0.0 255.255.0.0 to the custom options.
        You will have to reconnect the client for it to take effect.
        If it works you should see a change in the routing table of the connecting client.

        PS: the command looks like this

        push "route 10.1.0.0 255.255.0.0"

        including the ""
        For more: rtfm here http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • P
          plaap
          last edited by

          It is a PKI setup. The custom option is ok, I just mistyped the quotes here. The route is indeed added to the client. If I do a route print I can see the routes added.

          
Wed Aug 20 11:54:19 2008 us=313963 route ADD 10.0.0.0 MASK 255.255.255.0 10.100.0.5
Wed Aug 20 11:54:19 2008 us=315154 Route addition via IPAPI succeeded
Wed Aug 20 11:54:19 2008 us=315168 route ADD 10.1.0.0 MASK 255.255.0.0 10.100.0.5
Wed Aug 20 11:54:19 2008 us=316278 Route addition via IPAPI succeeded
Wed Aug 20 11:54:19 2008 us=316292 route ADD 10.100.0.0 MASK 255.255.255.0 10.100.0.5
Wed Aug 20 11:54:19 2008 us=317445 Route addition via IPAPI succeeded

          If I do a tracert to an ip in the opt1 range, the first hop is 10.100.0.1 (which is the pfsense box). It seems like all traffic stops there. Maybe it's more of a routing problem than an openvpn problem. I've enabled AON, maybe there's something missing there.
          I thinks it's a small problem but I seem to overlook it.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            I'm writing over such a setup at this moment.
            It is working quite well. OPT1 is in my case the wireless-interface.

            Can you try to ping 10.1.0.1 (if this is the IP of pfSense on the 10.1.0.0/16 subnet)

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • P
              plaap
              last edited by

              I can ping the opt1 interface ip. Which is 10.1.0.99 in my case. I can also ping to a couple of other devices in the /16 opt1 network but only if they start with 10.1.0.x (meaning /24).

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                interresting.
                Can you confirm that the routes on the openVPN-client get added correctly?
                Can you ping from a client on the 10.1.0.0/16 NOT in the 10.1.0.0/24 range to an OpenVPN-client?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • P
                  plaap
                  last edited by

                  I've tried this and it didn't work. I'll try to change an ip address from an unused device to the 'working' range to make sure I have the same effect.

                  Edit :
                  I've changed the ip from 10.1.101.200 to 10.1.0.200 and then it worked.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post