Routing issue for OpenVPN Clients

Rohloff

Hi Folks,

i have a little routing issue and hope someone can help me here as i have no more ideas howto solve it.
So here are first some Ascii Diagrams so you know how it looks.

Office1:

DSL-Line1 DSL-Line2
PPPOE PPPOE
| |
| |
pfSense-Box(OpenVPN Server with PKI for Roadwarrior) DSL/VPN Router 2 (makes astral IPSEC Net to NET Connection to Office 2-4)
Lan 192.168.10.1(Has static route 192.168.20.0/24 via 192.168.10.4) Lan 192.168.10.4 ( Has static route 192.168.12.0/24 via 192.168.10.1)
| |
| 192.168.10.0/24 |
–-------------switch-----------------------------------------------------------------------------------------------------
|
Client x

Office 2:

DSL-Line
PPPOE
|
|
DSL/VPN Router (makes IPSEC net to net connection to Office1)
Lan 192.168.20.1 (Has static route 192.168.12.0/24 via 192.168.10.4)
|
| 192.168.20.0/24
--------------
|
Client x

The pfSense Box at Office 1 acts as default gateway for the Clients in that Lan and has also OpenVPN activated to let access people from "the road" Office 1 Net.
The second Router at Office 1 with its own DSL Line is only there to make a VPN Net to Net Connection
to
Office 2.
On the pfSense box i have setup a static Route, net 192.168.20.0 and gateway 192.168.10.4 so the Clients at
Office 1 can reach Office2 and vice versa. This is working so far.

However when i am connected from home via OpenVPN to Office 1 i also want to be able to reach Office2 over
Router 2 from Office1.
At OpenVPN Server config i have set 192.168.12.0 for OpenVPN IP client pool and reachable net 192.168.10.0.
The OpenVPN server is pushing Office2 net to his client via extra options.

push "route 192.168.20.0 255.255.255.0"
push "route 192.168.30.0 255.255.255.0"
push "route 192.168.40.0 255.255.255.0"

Router2 at Office 1 has a static route 192.168.12.0/24 gateway 192.168.10.1
And the Router at Office 2 192.168.12.0/24 gateway 192.168.10.4

My routing table from home connected via OpenVPN:

192.168.12.1 192.168.12.5 255.255.255.255 UGH 0 0 0 tun0
192.168.12.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.20.0 192.168.12.5 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.30.0 192.168.12.5 255.255.255.0 UG 0 0 0 tun0
192.168.10.0 192.168.12.5 255.255.255.0 UG 0 0 0 tun0
192.168.40.0 192.168.12.5 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

And on the pfSense Box:

Internet:
Destination Gateway Flags Refs Use Netif Expire
default x.x.x.x UGS 0 1570647 ng0
x.x.x.x lo0 UHS 0 0 lo0
127.0.0.1 127.0.0.1 UH 0 0 lo0
192.168.10.0/24 link#2 UC 0 0 vr1
192.168.10.4 xx:12:ff:d7 UHLW 4 0 vr1 764
192.168.12.0/24 192.168.12.2 UGS 0 225534 tun0
192.168.12.2 192.168.12.1 UH 1 0 tun0
192.168.20.0/24 192.168.10.4 UGS 0 3639777 vr1
192.168.30.0/24 192.168.10.4 UGS 0 298924 vr1
192.168.40.0/24 192.168.10.4 UGS 0 298910 vr1
192.168.200.0/24 192.168.10.4 UGS 0 296292 vr1
x.x.x.x x.x.x.x UH 1 72895 ng0

Traceroute to Office 2 while being connected via OpenVPN ends at Router2.

traceroute to 192.168.20.1 (192.168.20.1), 30 hops max, 40 byte packets
1 192.168.12.1 (192.168.12.1) 68.893 ms 70.798 ms 90.898 ms
2 192.168.10.4 (192.168.10.4) 90.905 ms 92.740 ms 94.700 ms

Traceroute from Office2 to my local OpenVPN IP:

traceroute.lbl to 192.168.12.6 (192.168.12.6), 30 hops max, 40 byte packets
1 192.168.20.1 (192.168.20.1) 0.801 ms 0.401 ms 0.341 ms
2 *

Traceroute from Office2 to pfSense Box

traceroute.lbl to 192.168.10.1 (192.168.10.1), 30 hops max, 40 byte packets
1 192.168.20.1 (192.168.20.1) 1.523 ms 0.481 ms 0.420 ms
2 192.168.10.4 (192.168.10.4) 68.998 ms 72.004 ms 73.246 ms
3 * *

Traceroute from Office2 to Server at Office1

traceroute.lbl to 192.168.10.2 (192.168.10.2), 30 hops max, 40 byte packets
1 192.168.20.1 (192.168.20.1) 0.841 ms 0.401 ms 0.341 ms
2 192.168.10.4 (192.168.10.4) 67.915 ms 73.246 ms 77.355 ms
3 192.168.10.2 (192.168.10.2) 69.820 ms 65.992 ms 67.735 ms

Any hints how to solve this?

P.S There is also Office 3 and 4 (.30.x and .40.x) Which should also be reachale like Office 2 but i have kept it out to keep it more simple.

Rohloff

Rohloff

bump

No one with an idea what the problem could be? Any Information missing?
As far as i know the pfSense box should automatic route the traffic from the OpenVPN net to the other office nets or?
Searched this forum and other sources but didnt found out what the problem could be.

Oh and i dont get any money for this. ;)

Rohloff

Rohloff

So no one with an idea or hint??

I can ping pfSense on its LAN IP while being connected from extern via OpenVPN but traceroute dont work. I think this is one of the problem. The second Office router has the static route of pfSense box LAN IP as gw for the OpenVPN net.

traceroute 192.168.10.1
traceroute to 192.168.10.1 (192.168.10.1), 30 hops max, 40 byte packets
1 * * *

 ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=68.5 ms

GruensFroeschli

How do you connect from home?
To the same server than you use for the site-to-site connection?

I wouldn't suggest such a setup.
While it's doable, it introduces a lot of complexity.

Is the current site-to-site set up using a PKI? (just because you're using pushes).

Rohloff

I have OpenVPN Server with PKI activated on the pfSense Box and connecting that way into the main Office net.
And i can reach all hosts in that net via ping and traceroute also the second router which makes the net to net connections to the other offices. But routing to the other Office nets dont work when connected via OpneVPN from extern. Traceroute always ends at the second VPN router
And i has to get it running this way. :( I never thought it will be that hard. What i dont understand is why the pfSense box is not routing the traffic correctly!?

the OpenVPN Server Confi on the pfSense box:

writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 192.168.12.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 192.168.10.0 255.255.255.0"
lport 1194
push "dhcp-option WINS 192.168.10.2"
push "dhcp-option NBT 2"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
crl-verify /var/etc/openvpn_server0.crl
comp-lzo
persist-remote-ip
float
push "route 192.168.20.0 255.255.255.0"
push "route 192.168.30.0 255.255.255.0"
push "route 192.168.40.0 255.255.255.0"
management 127.0.0.1 1194

GruensFroeschli

I dont think it's a problem of the VPN, but of your router-config at office2.
What i'm missing in the picture is, what subnet is in the tunnel between office1 and office2.

Your static route at office2 points for the openVPN subnet to 192.168.10.4.
But that's the local IP on site1.
What is the gateway IP of the router in office2 to reach office1?

Rohloff

I edited the ascii diagrams to make it more clear.

There is no tunnel between Office 1 and 2 like in OpenVPN routing mode. Router 2 at Office 1 and the Router at Office 2 are making a IPSEC net to net connection.

So the static routes should be ok like in the ascii diagram i think. But still an Roadwarrior traceroute to Office 2 ends always at 192.168.10.4. ???