Routing OpenVPN client through Site to site IPSEC
-
I think someone asked that question with some different protocol. https://forum.netgate.com/topic/151606/openvpn-site-to-site-not-working-after-configuration-restore
-
Thanks for your answer but that is not really the same question. My site to site VPN is working and computers on site 1 can communicate with computers on site 2 and vice versa but computers connected to site 1 with OpenVPN clients can't communicate with Site 2.
-
That is not the way the subject reads. I understood it to mean you were trying to send OpenVPN packets through IPSec, which shouldn't be a problem. However, in your comment, you say someone connected to site 1 via OpenVPN can't reach site 2. That's a routing problem. You have to specify a route from the OpenVPN clients to site 2.
-
Hello, I'm sorry if I didn't explain correctly before. Yes it looks like a routing probleme but I add a a "push route " in the OpenVPN server configuration and it still don't work.
-
Does site 2 somehow know about that pushed route? I doubt it, so you'll need to configure a route there.
-
yes it seems that site 2 don't know a route to the OpenVPN subnet but there is nowhere I can configure a route because my IPSec don't have an interface in pfsense to add a gateway and a route.
-
You don't add routing within a VPN. A VPN is just another IP connection. You do it in the pfSense routing page. It's in System / Routing / Static Routes.
-
I add a route on site 2 in PFsense and it's still not working.
The network of OpenVPN is 10.10.181.0/24
The local network of Site 1 is 172.16.0.0/16
The local network of site 2 is 192.168.255.0/24so, in the openvpn configuration I add this command to push routes :
push "route 192.168.255.0 255.255.255.0 10.10.181.1"And on the site 2 in System / Routing / Static Routes. I add a route to 10.10.181.0/24 using the WAN gateway (the only one we have).
With this configuration it is not working, I can’t communicate from a computer connected to OpenVPN Server to Site 2, I can only communicate with site A computers.
Thank you for trying to help me, I'm a beginner.
-
On the OpenVPN side, you shouldn't need a push route, just 172.16.0.0/16, 192.168.255.0/24 in your local nets. On the IPsec side, you need a phase2 for the site1 lan and openvpn network to the site2 network.
-
@dotdash Hi, Thanks for your answer. I just tried without the push route on the OpenVPN side and I already had phase 2 for OpenVPN subnet and LAN subnet on each side but it is still not working.
It is like the request from openvpn clients to site 2 are not forwarding to the IPSEC Tunnel even with Allow ANY on the pfsense firewall.
-
The only firewall rules you'd need to check would be openvpn and ipsec (both sides). It's safe to test with any any on those tabs. Start a continuous ping or something, then check the states on both sides.
-
Hello, thank you all for your help, it now works with a route from site 2 to OpenVPN and a push route from openvpn to site 2. It seems that IPsec needed à restart.
