Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route OVPN users to subnet connected by a OVPN peer to peer tunnel?

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PatrickWarn
      last edited by

      Location A has a box running PfSense as gateway, and has a local subnet of 192.168.9.0
      Location B (Colo site) has a CentOS box as gateway, and has a local subnet of 192.168.4.0

      On A's PfSense box a OVPN server, Peer to Peer shared key tunnel to B is configured, B is the client.
      It also has another OVPN server configured, Remote Access (SSL/TLS) for remote users. The config has a "push route 192.168.4.0 255.255.255.0" additional command, and the "Allow communication between clients connected to this server" box is checked.

      Any machine on A can talk to any machine on B, and any machine on B can talk to any machine on A. However, remote vpn users can only talk to machines on A, and can not see anything on B.

      Any suggestions?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        The Remote Access clients know how to reach location B, because of the "push route". Now location B needs to know how to route back to the Remote Access network.
        On the shared-key server at location A, you need:

        push "route n.n.n.n m.m.m.m"

        e.g. if your remote access subnet is 192.168.42.0/24

        push "route 192.168.42.0 255.255.255.0"

        Then location B will know the way back to 192.168.42.0/24
        Note: On 2.1 you can put a list of subnets in the "Local IPv4/6 Networks" boxes - that puts multiple "push route" statements in the config, rather than just 1. Adding "push route" in the advanced box is no longer needed.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • P
          PatrickWarn
          last edited by

          I figured out the answer to my problem.

          I needed to add a route to the gateway at B for the subnet IP's being assigned the the vpn users

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.