OpenVPN Shared Key Routing Issues

Mat1987

Hi

I recenlty created a connection for OpenVPN

I used 1 SSL/TLS for client access and i also setup a site to site tunnel.

I am having routing issues with the site to site tunned and was wondering if there was anything i needed to add to get this working. All i have done is used the OpenVPN wizzard and i thought that was meant to do the routing or am i wrong?

I can ping from my pfsense router to both networks but from the clients them self on the tunnel i cant get a response.

Any help would be great.

Thanks

Mat

divsys

Have you checked to see if there's a firewall rule under OpenVPN allowing all traffic?

Can the client's ping their tunnel address gateways?

Can the client's ping LAN address of the pfSense router?

If using Windows clients, have you set (or turned off) the Win Firewall so that it doesn't block the remote LAN subnets?

Mat1987

I have a firewall rule and open vpn rule to allow traffic.

from the client i can ping the gateway and vice versa.

basically my network is 192.168.50.0/24 going to 192.168.1.0/24 but i cant ping say 192.168.1.1 but i can ping 10.0.8.1 that's given as a virtual tunnel.

I have attached some photos hopefully help a little.

firewall.PNG_thumb

OpenVPN.PNG_thumb
![OpenVPN Setup2.PNG](/public/imported_attachments/1/OpenVPN Setup2.PNG)
![OpenVPN Setup2.PNG_thumb](/public/imported_attachments/1/OpenVPN Setup2.PNG_thumb)

divsys

Why do you have 192.168.50.0/24 in both your Local and your Remote OpenVPN subnet definitions?

If your OpenVPN Server's Local Subnet is 192.168.50.0/24 then thats all you need in the IPv4 Local Network/s field.

The IPv4 Remote Network/s field is for the subnets of the clients.

Is the site-site using SSL/TLS?

You also need an entry in the "OpenVPN->Client Specific Configuration" tab to match the client's exact CN allow the server to properly route the client's subnet.

Mat1987

I must admit i added my subnet after it wasnt working. i have added a rule in the open vpn firewall. I have got an idea to what it is so i will try that tonight.

divsys

If you just remove the unneeded extra subnet in the remote field, you should be very close to a proper setup.

If this site-site is using SSL/TLS then the CSC entries (very simple) are all that are left.

Mat1987

@divsys:

If you just remove the unneeded extra subnet in the remote field, you should be very close to a proper setup.

If this site-site is using SSL/TLS then the CSC entries (very simple) are all that are left.

CSC = client specific overrides?

How would these be setup?

divsys

You need a Client Specific Overide entry in the OpenVPN serve that specifies which external subnets are routed for each client.
In your case there's (currently) only one.

In CSC make a new entry and specify:

Common name - Enter the EXACT CN name used for the Client's certificate
Description - Free form description for you
Tunnel network - OpenVPN Tunnel subnet specified in the Server (10.0.8.0/24 in your case ?)
IPv4 Remote Network/s - Client's subnet that you want routed through this connection (192.168.1.0/24 in your case ?)

Save and restart both the Server and the Client, you should be good to go.