OpenVPN Site to Site to Client issues

nzimmer1

I have a configuration where there is a Site to Site between two pfsense firewalls and they are using 10.0.6.0/24 network for openvpn.
PfSense firewalls are Server 2.1.5 and remote 2.2.
there are 3 ip addresses accessible on the server end, 10.255.10.23, 24, and 32. the remote end is 192.168.0.0/24 network. From the 192.x network all servers work fine and are accessible. Remote users are using openvpn server on the remote site that clients connect to on 10.0.10.0/24 openvpn server. when a remote openvpn client connects, they can access all the 192.x lan but cannot get to the 10.255.x lan. I have all 3 ip addresses assigned as push routes (10.255.10.23/32, 10.255.10.24/32, 10.255.10.32/32) on the openvpn clients. the pfsense can ping the server site and the client, but the client cannopt get to the server network of 10.255.x.

OpenVPN rule is IPv4 Any allow on both ends.
Does the 10.0.6.0 site to site network need to be pushed to the client?

Any ideas what I might be missing here?

phil.davis

Does the 10.0.6.0 site to site network need to be pushed to the client?

No, the road warrior clients do not need to know about site-to-site tunnels, there is nothing in the tunnel that they need to reach specifically.

I would tell the road warrior clients about the whole of 10.255.10.0/24 rather than tell them each individual IP with a /32.
Do not use the advanced box any more to push routes, just put 192.168.0.0/24,10.255.10.0/24 in the IPv4 Local Network/s box in the road warrior server GUI settings page.

Make sure the OpenVPN Firewall Rules tabs at either end are allowing traffic arriving from all the subnets at the other end.

traceroute is your friend - you can quickly traceroute from a client to a server and see what hops the packet took, and where it stops. That will give you a clue if there is a routing issue or firewall block somewhere along the path.