OpenVPN SSL Site to Site - I am unable to push DNS to Site B and access a routed network in Site A from Site B
-
Please help, newbie here. I have a working Peer to Peer SSL in OpenVPN between Sites A and B. Both their LANs can see each other. My problem is I cannot push DNS to Client Site B and I am unable to access from Client Site B my DMZ network in Site A:
INTERNET == pfSense1 (Client) --- LAN (192.168.130.0/24)
||
pfSense2 (Gateway) --- DMZ net (192.168.88.0/24) --- pfSense3 (Server) --- LAN (192.168.8.0/24)- I have set Port Forward on pfSense2 to forward OpenVPN port to pfSense3
pfSense3 OpenVPN Server Settings:
- tunnel net: 192.168.121.0/24
- local net: 192.168.8.0/24, 192.168.88.0/24
- remote net: 192.168.130.0/24
- topology: Subnet
- client specific override -- remote net: 192.168.130.0/24, DNS Servers: 192.168.8.1
192.168.8.0/24 and 192.168.130.0/24 network can see each other but 192.168.130.0/24 cannot see 192.168.88.0/24. I have been trying different Firewall Rules but I am unable to get the proper setting. When I traceroute 192.168.88.0/24 from 192.168.130.0/24, I only reach 192.168.121.1.
Also, the DNS on 192.168.8.1 is not pushed to 192.168.130.0/24 because I can only access 192.168.8.0/24 thru IP Address. What could I be missing?
-
Seems you're talking about an access server rather than about a site-to-site. In the site-to-site configuration there is no possibility to push a DNS server. Furthermore a CSO makes no sense.
Concerning the accessibility of the DMZ from remote, you're presumably missing the route to 192.168.130.0/24. Your set up suggests that the DMZ uses pfSense2 as upstream router, not pfSense3, so if the DMZ devices have no route to 192.168.130.0/24 they may direct responses to pfSense2 instead to pfSense3.
Best practice is to not connect pfSense3 to the DMZ directly, but install a transit network between the two routers or run the VPN server on pfSense2.
Other option are to add routes to 192.168.130.0/24 to each of your DMZ devices you want to communicate with 192.168.130.0/24 or do NAT to get responses back to pfSense3 if you only want to access the DMZ from remote. -
@viragomann Thanks for the advices... Newbie in OpenVPN and Routing
I set pfSense3 as OpenVPN Server so remote users are connected locally to communicate with our Local Net. Would this still be possible if I use pfSense2 as the OpenVPN Server?Re: NAT, how should I do NAT to get responses back to pfSense3?
-
@azmodeuz said in OpenVPN SSL Site to Site - I am unable to push DNS to Site B and access a routed network in Site A from Site B:
I set pfSense3 as OpenVPN Server so remote users are connected locally to communicate with our Local Net. Would this still be possible if I use pfSense2 as the OpenVPN Server?
You will need a static route on pfSense3 for the OpenVPN tunnel network 192.168.121.0/24 pointing to pfSense2.
@azmodeuz said in OpenVPN SSL Site to Site - I am unable to push DNS to Site B and access a routed network in Site A from Site B:
Re: NAT, how should I do NAT to get responses back to pfSense3?
You can add an outbound NAT rule on pfSense3 (S-NAT, also known as masquerading) which translates the source IP in packets from the remote site of the VPN into the DMZ interface address. So responses are sent back to pfSense3.
However, that's a dirty solution and is not recommended if there are multiple clients connecting through the VPN.