Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two OpenVPN servers: road warriors cannot contact s2s

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dennis1984120
      last edited by

      Hi all,

      I'm having some trouble configuring my OpenVPN on pfSense. It's quite similar to this topic, but not exactly the same though.

      I have my pfSense configured with two OpenVPN servers: one for s2s and one for roadwarriors. Now individually they all work properly. There are three other sites which connect over the internet to my pfSense box (in the cloud). My pfSense LAN is 172.16.1.200 (/24) and my sites have 172.16.11.200, .21.200 and .31.200, all /24. As said, it works as it should. Routes are set up through ccd. Internet is not routed with this VPN. This OpenVPN utilizes 10.4.0.0/24.

      Besides the s2s, I have the roadwarriors. Mobile clients should connect to the cloud. In this case, all traffic is routed (redirect gateway). This OpenVPN uses 10.8.0.0/24. Internet works properly on this device and I'm also able to contact the cloud server.

      The problem is however that I cannot contact one of the sites from a road warrior client. I don't know what is causing this. I assume that all traffic is routed through the pfSense box as I have redirect gateway enabled. The log files seem to confirm this. To make sure the firewall is not the problem, I have created a couple of test rules that allow all traffic from or to both OpenVPN instances and let them log their actions. When I check the logfiles I see this, which is when I want to visit the HTTPS interface of the site1 router.

      
pass/1432064064	May 20 07:20:48 	OVPNS1 	10.8.0.6:41659		172.16.11.200:443		TCP:S
pass/1432064064	May 20 07:20:48 	Direction=OUT OVPNS0 	10.8.0.6:41659		172.16.11.200:443		TCP:S

      It does not load however and I get a timeout after 4 minutes. The routing table in pfSense looks fine and I'm able to ping this 172.16.11.200 from the diagnostics ping function.

      Does anyone have a clue where I can find the solution?

      Kind regards,
      Dennis

      1 Reply Last reply Reply Quote 0
      • D
        Dennis1984120
        last edited by

        I painted an image for you folks ::)

        So the trouble is connecting from ovpns1 to ovpns0.

        Kind regards,
        Dennis

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          Hi,

          as the log shows, the packets are passed out OVPNS0 interface. However, I think response from 172.16.11.200 doesn't know to get back to 10.8.0.6.
          Enter the roadwarriors tunnel network 10.8.0.0/24 in "Locale Network(s)" field at S2S configuration tab to get the route to this network pushed to OVPNS0 clients.

          1 Reply Last reply Reply Quote 0
          • D
            Dennis1984120
            last edited by

            Thank you for your response! Sometimes a solution is really simple but you just forget to think about it. Great that a forum like this has other users who are experienced and who can give you the right tips. You made my day, it all works flawlessly! ;D

            Kind regards,
            Dennis

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.