Site to site OpenVPN with destination set to Remote Access (SSL/TLS)?

iorx · Jan 31, 2019, 7:26 PM

Site to site OpenVPN with server set to Remote Access (SSL/TLS)?

Is this possible?
I've tried it but have trouble passing traffic from the remote LAN to the Local LAN.

The underlying reason for this is that I only got (out of my control) one port open into to the OpenVPN server. I need both user and this site to site solution working on one port in.

Peer to Peer (SSL/TLS) work fine if I do that way, but then I can't have clients.

Brgs,

viragomann · Jan 31, 2019, 10:06 PM

You need to set up a Client Specific Override on the server for the remote client to route packets destined for the remote LAN over the VPN.
In the CSO settings enter the remote LAN network in the "Remote networks" box.

iorx · Feb 1, 2019, 9:03 AM

Yes, I had that CSO in place, same override I had working for peer to peer. Still didn't manage to get remote LAN traffic to pass. pfSense though could reach server side LAN addresses.
Strange. Got to give it another try.

viragomann · Feb 1, 2019, 1:55 PM

Is the remote pfSense the default gateway in its LAN?

Are the routes okay on both sites?

iorx · Feb 1, 2019, 3:11 PM

Yes, hosts on the remote LAN got gw to the pfsense.

Routes on the remote pfsense also looks good. The subnet for the servers LAN and tunnel-net is present. Routes on the server side also looks like they should.

I need to go through this thoroughly and see if I've missed something. Strange thing is that peer to peer (SSL/TLS) went up directly.

As it should work with Remote Access I have to look for some stupid mistake somewhere.

jimp · Feb 1, 2019, 4:42 PM

It can work though you may need to manage some things manually, for example the IPv4 Remote Networks (and IPv6 Remote Networks) boxes are hidden in Remote Access mode, so you'd have to add route statements for the equivalent set of networks in the advanced/custom options box.

iorx · Feb 1, 2019, 11:06 PM

Yeah! I was missing those. Had an idea that CSO should be enough.

Gave it a try.

server pfsense:

Config: Remote Access
added route statement for the remote subnet in custom options
local networks: local subnet, remote subnet
(peer to peer server should have this, still trying to figure out why the remote subnet should be here, but according the pf-guide-doc it should, and it works as intended)
CSO: remote networks: remote subnet
Question here: In the CSO i got a Local Network field. Does this have effect on this kind of config?

remote pfsense:

Config: Peer to peer
tunnel network: empty
remote network: empty (in peer to peer config these are configured at time of connect, true for this scenario too?)

But, no, can't pass traffic LAN to LAN.