Routing from OpenVPN clients over OpenVPN tunnels behind the OpenVPN server
-
Hello everybody,
well, here is what my network currently looks like :
______________________ Client Server _________________________ Server VPN Client _________________________ Server Client ______________________ OpenVPN clients | <-------------------> | pfSense1 OpenVPN Server | <------------------------------> | pfSense2 OpenVPN Server | <--------------------| OpenVPN clients | 10.245.1.0/24 | VPN | LAN1 IP : 10.45.1.241 | Client VPN Server | LAN2 IP : 10.65.0.5 | VPN | 10.265.1.0/24 | to LAN1 10.45.0.0/16 | | ________________________| |_________________________| | to LAN2 10.65.0.0/16 | _____________________| | | |______________________| ____________|_____________ __________ _|_________ | LAN1 (10.45.0.0/16) | | LAN2 (10.65.0.0/16) | |_________________________| |_____________________|
My two PfSense Boxes could easily communicate each other, through the parallel OpenVPN tunnels : each one is a client and a server for the other, and each one has, then, fully access to the other LAN.
Each pfSense box has got another OpenServer config to allow Roadwarriors to enter the LANs :
today, 10.245.1.0/24 could enter the LAN1, and 10.265.1.0/24 could enter the LAN2.Okay, that's nice, everything's working fine !
But I want more : what I really want today, is that OpenVPN Clients in the 10.245.1.0/24 range could communicate with LAN2 machines, and 10.265.1.0/24 could communicate easily with LAN1 machines.
If it was possible (if i could make a wish with some arabian nights magic) i would have all my Roadwarriors, able to talk each other (10.265.1.0/24 to 10.245.1.0/24).I've tried to add push "route 10.65.0.0 255.255.0.0" in the pfSense1 openvpn server config (custom options in pfsense), but it didn't change anything. My Roadwarriors are still unable to go to LAN2, or to the other Roadwarriors !
Is there someone here who has some ideas ? I would be very thankful to anyone.
Thanks !
edit by GruensFroeschli: i fixed your diagram
edit by wedjat: thank you ! -
Why are you using two parallel site-to-site tunnels?
Just adding a push to the roadwarrior setup is not enough.
The OpenVPN server on the other side of the site-to-site connection also needs to know the way to send traffic back.
So you need to add the "route 10.245.1.0 255.255.255.0" resp "route 10.265.1.0 255.255.255.0" to the configs of the site-to-site connections. -
Thank you for your answer GruensFroeschli !
Why are you using two parallel site-to-site tunnels?
In fact, with only one tunnel, site-to-site, from 10.45.1.241 (server) to 10.65.0.5 (client), which connects the 10.65.0.0/16 network with the 10.45.0.0/16 network (expressed as remote networks in each configuration, respectively), i am able to ping 10.65.0.5 from 10.45.1.241, but i am unable to ping 10.45.1.241 from 10.65.0.5.
With two parallel tunnels, i was able to ping from each side the other pfSense box. Well, maybe it's useless for what i want to do, i don't know.
I will try today (i am a little excited) your solution. I knew the "push route" command but didn't know the "route" command for OpenVPN. I will try that !
Thank you again !
-
Don't I need any "client-to-client" directives too ?
There is also a checkbox in the server configuration "Client-to-client VPN", do I need it ? Is this the same thing as the "client-to-client" directive ?
-
Did you set up a PKI for the site-to-site?
If yes, drop it and set up a shared key setup.
A PKI is used for roadwarriors to connect. Not for site-to-site connections.
While it is technically possible, a PKI complicates everything unnecessarily. The fact that you need two parallel tunnels is prove enough.
(This is a work-around to avoid the more annoying stuff about site-to-site with a PKI). -
Thank you for your answer !
Did you set up a PKI for the site-to-site?
No, it is a shared key setup for the tunnel between my two pfsense boxes (1.2.2). So i guess I don't need the client-to-client directive for any side of this tunnel ?
The PKI is used only for my roadwarriors to access LAN1 through my Pfsense1. Do I need to check the "client to client VPN" box for that tunneln and/or to add the client-to-client directive in the textbox "custom options" ?
-
Oh, just to tell that you were right, only one tunnel is necessary. I don't know what happened, but now i can ping each pfSense box from the other, with only one tunnel.
But my roadwarriors are still unable to connect to the other networks…
Where do I need to add the "route" commands ? Do I have to add "route 10.245.1.0 255.255.255.0" on the pfSense2 box, or on the pfsense1 box ? It's only for the Site-to-Site tunnels, right ?
I only added "push "route 10.65.0.5 255.255.255.0"" to the server side config for the Roadwarriors. It's still not working :'(
-
1: You need to add for both roadwarrior setups a push for the LAN on the other side of the site-to-site tunnel.
2: You need to add the route command on both side of the site-to-site tunnel.
Add to: - the pfSense with the LAN IP "10.45.1.241" the command "route 10.265.1.0 255.255.255.0" to the custom options.
- the pfSense with the LAN IP "10.65.0.5" the command "route 10.245.1.0 255.255.255.0" to the custom options. -
1: You need to add for both roadwarrior setups a push for the LAN on the other side of the site-to-site tunnel.
2: You need to add the route command on both side of the site-to-site tunnel.
Add to: - the pfSense with the LAN IP "10.45.1.241" the command "route 10.265.1.0 255.255.255.0" to the custom options.
- the pfSense with the LAN IP "10.65.0.5" the command "route 10.245.1.0 255.255.255.0" to the custom options.Thank you for your answer.
I've just done that, but it doesn't change anything. It seems that the Roadwarriors doesn't want to reply for pings which come from the other LAN.
Oh, i was wondering : I have an IPSec tunnel between my two firewalls, it is used by my LAN1 hosts to reach the other LAN2 machines. Can it conflict with OpenVPN ?
-
Oh, i've noticed something which i think is very important :
when i ping the virtual OpenVPN client IP adress of LAN2 firewall (for the site-to-site tunnel) from a Roadwarrior connected to LAN1, the ICMP echo request is normally getting to the destination.
But, the ICMP echo reply can get through all interfaces, until to come into the last interface which belong to the roadwarrior himself ! But the answer to ping still doesn't show in a shell !
I don't understand ! The ICMP echo reply is just in front of him, in his computer, and the "ping" command doesn't display it !
Maybe OpenVPN filtering is mandatory to permit other traffic than from the OpenVPN server, coming to the Roadwarriors…I am running 2 pfSenses which are in version 1.2.2.
-
Well, I think I found what the real problem is.
The first OpenVPN tunnel for Roadwarriors only admits traffic with Source IP like 10.245.1.0/24 and 10.45.0.0/16.
The second OpenVPN site-to-site tunnel between my two firewall only admits traffic with Source IP like 10.45.0.0/16 and 10.65.0.0/16.
Then, routing is useless, packets just won't go to the next tunnel due to their invalid Source IP, which cannot cross the tunnel.
I'm thinking about solutions such as Outbound NAT, to translate such Roadwarriors 10.245.1.0/24 adresses into LAN1 IP 10.45.0.0/16 adresses. So, I would like to know if you can activate "Automatic outbound NAT rule generation (IPsec passthrough)" and enter own mappings at the same time.
Is it possible ?
If there is another solution building some smart and clever tunnels, I would be also interested.
-
The first OpenVPN tunnel for Roadwarriors only admits traffic with Source IP like 10.245.1.0/24 and 10.45.0.0/16.
The second OpenVPN site-to-site tunnel between my two firewall only admits traffic with Source IP like 10.45.0.0/16 and 10.65.0.0/16.Did you assign the OpenVPN interfaces as OPTx interface?
Then created appropriate firewall rules on the OpenVPN interface to allow different subnets? -
Thank you for your answer ;)
Did you assign the OpenVPN interfaces as OPTx interface?
Then created appropriate firewall rules on the OpenVPN interface to allow different subnets?I read that it is only possible with pfSense 1.2.3, isn't it ?
My two pfSense boxes are in version 1.2.2.