OpenVPN cant connect static routes

fergomez1980

Hi, everyon

I have this config in my pfsense server

igb0 - WAN (Internet output) static Ip 192.168.4.2/24 + Gateway in WAN to internet output 192.168.4.1/24
igb1 - DMZ (isolated network) static ip 172.26.1.1/24
Ix0 - LAN (work network) static ip 172.26.0.0/24

Static Routes in LAN
192.168.0.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network)
192.168.1.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network)

Virtual IP in LAN
172.26.2.1/24 For isolated subnet for machines placed in factory planta

OpenVPN
Tunnel 172.26.3.0/24
Force gateway in remote network
Clients can comunicate between them
Local 172.26.0.0/24

When i connect through OpenVPN from my home i can access to following networks:

LAN 172.26.0.0/24
Tunnel 172.26.3.0/24
DMZ 172.26.1.0/24
Maquinas 172.26.2.0/24
But i cant access to 192.168.0.0/24 y 192.168.1.0/24. How could i do it? Please i need help.

Thanks and regards

viragomann

@fergomez1980 said in OpenVPN cant connect static routes:

Static Routes in LAN
192.168.0.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network)
192.168.1.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network)

Since both sequent /24 networks are routed to the same gateway you may also put it in only one rule and type 192.168.0.0/23 at network.

I guess, the packets from 192.168.0.0/23 are not routed back to pfSense, cause it is not in the default route.
With the static route you have set, you only have defined the route towards the devices in 192.168.0.0/24 and 192.168.1.0/24. These devices will send responses to the clients VPN IP. If there is no special route defined on the destination devices for that VPN IP they will send responses to their default gateway.

So you either need a route on the destination devices for the OpenVPN tunnel network or on the default gateways of these subnets to route response packets to pfSense or you use NAT for masquerading.

johnpoz

@fergomez1980 said in OpenVPN cant connect static routes:

Static Routes in LAN
192.168.0.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network)
192.168.1.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network)

Other than your current openvpn problem this sort of setup also screams asymmetrical traffic flow.. If you have a network that you get to via a downstream router, then this downstream router should be connected via a transit network no using a network that has hosts on it.

So lets say lan device wants to talk to an IP on these networks.. does it have a host route - or send its traffic to pfsense? The return traffic will just go direct to client from the downstream router = asymmetrical.

But as mentioned by viragomann, you will need routes on your downstream router on how to reach the tunnel network(s) you use for your openvpn clients.. Or no you will never be able to get there without doing source nat.