Routing between clients
-
I'm currently using remote access (SSL/TLS+User Auth) (TUN) with a cert. Currently it does not appear that I can reach another client that is simultaneously connected to the VPN. The client is in the same subnet as my remote login, but the two cannot reach each other. My LAN is 192.168.x.y/24 and the tunnel network is 10.10.x.y/24. Me on one client I have 10.10.x.10 and the other has 10.10.x.6 and we cannot ping each other. I can however reach them via 192.168.x.y/24 (pfSense/OpenVPN server LAN). Is this a matter of just firewall rules, pushing some routes out, or a combo?
-
Check "Inter-client communication" in the OpenVPN server config and add appropriate rules to OpenVPN interface.
-
Wow, that easy. I feel blah :'(
-
Can this check box be accessed after the server config has been built? I am having a similar issue and would prefer not to recreate the config if possible.
Thanks
-
Yes.
What I don't know is if it requires another client export or change on the client. I doubt it.
-
Derelict-
I'm still trying to see if that checkbox worked - although I think I may have tried it and it did not.I have another variation of this issue now. I have a site to site static key vpn with another pfsense box and the openvpn cert/password clients can't reach the remote on the site to site. I'll draw something up real quick later and show you the topology.
-
Ok here's the diagram. Basically none of the clients can talk with each other. I'm not 100% sure about the road warrior ones yet since the checkbox, but the roadwarrior can't talk to the site to site remote.
-
The Site-to-site client will have to have firewall rules on OpenVPN (tab or assigned interface) permitting inbound traffic from the other clients.
-
The Site-to-site client will have to have firewall rules on OpenVPN (tab or assigned interface) permitting inbound traffic from the other clients.
Yes there's an allow ALL OpenVPN firewall tab rule in there
-
Ok here's the diagram. Basically none of the clients can talk with each other. I'm not 100% sure about the road warrior ones yet since the checkbox, but the roadwarrior can't talk to the site to site remote.
You also have to push the routes of both tunnel networks to all clients if you want to communicate between different tunnels. Have you done this?
-
Ok i have partial resolution. I can talk between roadwarrior/cert OpenVPN clients - I guess the checkbox did it. I will now proceed to mess with the site to site vpn access.
-
Yeah. That checkbox is only for clients connecting to the same OpenVPN server instance so your Mobile and site-to-site will be different. You need to make sure everyone has the routes to the other VPN server clients and that all the rules are in place.