From roadwarrios to vpn site to site
-
@Cry:
For anything more precise you'll need to provide a diagram of your networks, how they are connected and what IP ranges you're using.
-
you will also want to remove your actual public IPs/FQDNs from your examples above.
-
On one pfSense box I have the following OpenVPN configurations:
As a server for Road Warriors
Dynamic IP: yes
Address pool: 10.99.254.0/24
Local network: 192.168.100.0/24
Client-to-client VPN: yes
Cryptography: BF-CBC (128-bit)
Authentication method: PKI
CA cert
Server cert
Server key
DH parameters
TLS
LZO compression: yesAs server for Site-To-Site OpenVPN
Address pool: 10.11.12.0/24
Remote network: 192.168.200.0/24
Cryptography: BF-CBC (128-bit)
Authentication method: Shared key
Shared key cert
LZO compression: yesMy routing issue is:
From Site 1 I can reach hosts on Site 2 and vice versa.
From Road Warrior I can reach hosts on Site 1.
I want to be able to reach hosts in Site 2 from Road Warrior.Could you help me ?
-
It would be much, much, easier to help you if you'd provide the information we ask for.
I'm guessing that Site 2 doesn't know how to route to the Road Warrior LAN.
-
Yes :) Roadwarriors don't ping site 2
-
I'll say it slightly differently - have you configured the routers at Site 2 so that they know how to route to the Road Warrior subnet? They'll need a static route for 10.99.254.0/24 with a route through the Site 2 OpenVPN server's LAN IP.
-
I was told this arrangement isn't possible to have OpenVPN clients to one LAN have their traffic pass through another OpenVPN to another LAN… so I just setup more OpenVPN clients and servers.... it would be nice if each site could only need 1 OpenVPN...but I never got that working!
-
That's not actually true.
I have this exact setup working.It's really a matter of setting up static routes on every router involved, so every devices know where to send traffic to.
-
It is perfectly possible - I've done it and I know some folks who have an intra-site VPN that they use daily without problems.
As GruensFroeschli said, it's just a matter of getting the routes right.
-
I don't follow. The site to site openvpn comes up and the routes are setup. I have a client-to-site VPN on the same pfsense and I ass the correct push route statement to the openvpn configuration.
Client VPN traffic goes from openvpn to pfsense first hop, but then no further.
How could I add a route for this?
-
The other side of the site-to-site knows nothing about the roadwarrior subnet.
–>you need a static route to make the roadwarriors known.