OpenVPN to OPT1
I have succesfully setup an openvpn tunnel for road warriors. I can connect to the pfsense box and access the lan net. However I can't to connect to the subnet behind OPT1.
LAN : 10.0.0.0/24
OPT1 : 10.1.0.0/16
OpenVPN : 10.100.0.0/24
I tried : "push 10.1.0.0 255.255.0.0" but this didn't work. Also I can ping from the client to the openvpn server address.
Are there any special rules to apply? I thought there weren't any special fw rules for openvpn. Or am I missing something huge? :)
Is this a PKI or PSK setup?
In a PKI you're right to add the push 10.1.0.0 255.255.0.0 to the custom options.
You will have to reconnect the client for it to take effect.
If it works you should see a change in the routing table of the connecting client.
PS: the command looks like this
push "route 10.1.0.0 255.255.0.0"
including the ""
For more: rtfm here http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html
It is a PKI setup. The custom option is ok, I just mistyped the quotes here. The route is indeed added to the client. If I do a route print I can see the routes added.
Wed Aug 20 11:54:19 2008 us=313963 route ADD 10.0.0.0 MASK 255.255.255.0 10.100.0.5 Wed Aug 20 11:54:19 2008 us=315154 Route addition via IPAPI succeeded Wed Aug 20 11:54:19 2008 us=315168 route ADD 10.1.0.0 MASK 255.255.0.0 10.100.0.5 Wed Aug 20 11:54:19 2008 us=316278 Route addition via IPAPI succeeded Wed Aug 20 11:54:19 2008 us=316292 route ADD 10.100.0.0 MASK 255.255.255.0 10.100.0.5 Wed Aug 20 11:54:19 2008 us=317445 Route addition via IPAPI succeeded
If I do a tracert to an ip in the opt1 range, the first hop is 10.100.0.1 (which is the pfsense box). It seems like all traffic stops there. Maybe it's more of a routing problem than an openvpn problem. I've enabled AON, maybe there's something missing there.
I thinks it's a small problem but I seem to overlook it.
I'm writing over such a setup at this moment.
It is working quite well. OPT1 is in my case the wireless-interface.
Can you try to ping 10.1.0.1 (if this is the IP of pfSense on the 10.1.0.0/16 subnet)
I can ping the opt1 interface ip. Which is 10.1.0.99 in my case. I can also ping to a couple of other devices in the /16 opt1 network but only if they start with 10.1.0.x (meaning /24).
Can you confirm that the routes on the openVPN-client get added correctly?
Can you ping from a client on the 10.1.0.0/16 NOT in the 10.1.0.0/24 range to an OpenVPN-client?
I've tried this and it didn't work. I'll try to change an ip address from an unused device to the 'working' range to make sure I have the same effect.
I've changed the ip from 10.1.101.200 to 10.1.0.200 and then it worked.