From roadwarrios to vpn site to site

mariofiorentino

i have attached the screenshot.

the my vpn roadwarriors not ping vpn site to site

roadwarriors_firewall1.jpg_thumb

firewall2_site_to_site.jpg_thumb

firewall1_site_to_site.jpg_thumb

Cry Havok

@Cry:

For anything more precise you'll need to provide a diagram of your networks, how they are connected and what IP ranges you're using.

XIII

you will also want to remove your actual public IPs/FQDNs from your examples above.

mariofiorentino

On one pfSense box I have the following OpenVPN configurations:

As a server for Road Warriors
Dynamic IP: yes
Address pool: 10.99.254.0/24
Local network: 192.168.100.0/24
Client-to-client VPN: yes
Cryptography: BF-CBC (128-bit)
Authentication method: PKI
CA cert
Server cert
Server key
DH parameters
TLS
LZO compression: yes

As server for Site-To-Site OpenVPN
Address pool: 10.11.12.0/24
Remote network: 192.168.200.0/24
Cryptography: BF-CBC (128-bit)
Authentication method: Shared key
Shared key cert
LZO compression: yes

My routing issue is:
From Site 1 I can reach hosts on Site 2 and vice versa.
From Road Warrior I can reach hosts on Site 1.
I want to be able to reach hosts in Site 2 from Road Warrior.

Could you help me ?

Cry Havok

It would be much, much, easier to help you if you'd provide the information we ask for.

I'm guessing that Site 2 doesn't know how to route to the Road Warrior LAN.

mariofiorentino

Yes :) Roadwarriors don't ping site 2

Cry Havok

I'll say it slightly differently - have you configured the routers at Site 2 so that they know how to route to the Road Warrior subnet? They'll need a static route for 10.99.254.0/24 with a route through the Site 2 OpenVPN server's LAN IP.

joako

I was told this arrangement isn't possible to have OpenVPN clients to one LAN have their traffic pass through another OpenVPN to another LAN… so I just setup more OpenVPN clients and servers.... it would be nice if each site could only need 1 OpenVPN...but I never got that working!

GruensFroeschli

That's not actually true.
I have this exact setup working.

It's really a matter of setting up static routes on every router involved, so every devices know where to send traffic to.

Cry Havok

It is perfectly possible - I've done it and I know some folks who have an intra-site VPN that they use daily without problems.

As GruensFroeschli said, it's just a matter of getting the routes right.

joako

I don't follow. The site to site openvpn comes up and the routes are setup. I have a client-to-site VPN on the same pfsense and I ass the correct push route statement to the openvpn configuration.

Client VPN traffic goes from openvpn to pfsense first hop, but then no further.

How could I add a route for this?

GruensFroeschli

The other side of the site-to-site knows nothing about the roadwarrior subnet.
–>you need a static route to make the roadwarriors known.