Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Routing Site-to-Site Remote Subnet to Remote Access VPN Subnet

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      Precise
      last edited by

      Ok, I am definitely new to pfSense and am willing to learn but have little knowledge past the basics of what you can do with pfSense. I'm going to try to word this as well as I can to avoid confusion, if only to keep myself from being confused.

      I have two physical sites linked via an OpenVPN site-to-site link. The main facility has a remote access VPN setup with RADIUS to a Windows 2012 R2 server. All machines in the satellite facility authenticate through the site-to-site VPN tunnel to the 2012 R2 server just fine.

      What I am trying to do is link the remote access VPN network to both the local network in the main facility AND the remote network at the satellite facility through the site-to-site VPN tunnel. I can get it routed to the local network at the main facility, but not the remote network at the satellite facility through the site-to-site VPN.

      I have tried using many different custom route options to achieve this with limited (well, really none) success. I am looking to the community to ask what would be the proper route options to get this done.

      Here is my current configurations on both ends:

      –-Main Facility Configuration:---

      Local network: 192.168.10.1

      Main Facility Site-to-Site VPN Server:

      IPv4 Tunnel Network: 192.168.90.0/30
IPv4 Remote network(s): 192.168.110.0/24
Custom options: route 192.168.110.0 255.255.255.0;

      Main Facility Remote Access VPN Server:

      IPv4 Tunnel Network: 192.168.80.0/24
IPv4 Local network(s): 192.168.10.0/24
Custom options: None

      –-Satellite Facility Configuration:---

      Local network: 192.168.110.1

      Satellite Facility Site-to-Site VPN Client:

      IPv4 Tunnel Network: 192.168.90.0/30
IPv4 Remote network(s): 192.168.110.0/24
Custom options: route 192.168.10.0 255.255.255.0;

      I have tried adding the tunnel network for the site-to-site connection to the remote VPN server configuration:

      IPv4 Local network(s): 192.168.10.0/24, 192.168.90.0/24

      -No effect.

      I have tried adding the remote local LAN subnet to the remote VPN server configuration:

      IPv4 Local network(s): 192.168.10.0/24, 192.168.110.0/24

      -No effect.

      I have tried adding the tunnel network for the site-to-site connection to the remote VPN server custom options:

      Custom options: route 192.168.90.0 255.255.255.0;

      -No effect.

      I have tried adding the remote local LAN subnet to the remote VPN server custom options:

      Custom options: route 192.168.110.0 255.255.255.0;

      -No effect.

      I have also tried using "push" options for routes and found no difference using them.

      I'm guessing the solution is either something I didn't try at all or a combination of the above that I did not try.

      Thank you for your assistance! Any help or hints are very much appreciated.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        –-Main Facility Configuration:---

        Local network: 192.168.10.1

        Main Facility Site-to-Site VPN Server:
        IPv4 Tunnel Network: 192.168.90.0/30
        IPv4 Remote network(s): 192.168.110.0/24
        Custom options: route 192.168.110.0 255.255.255.0;

        Main Facility Remote Access VPN Server:
        IPv4 Tunnel Network: 192.168.80.0/24
        IPv4 Local network(s): 192.168.10.0/24**, 192.168.110.0/24**
        Custom options: None

        –-Satellite Facility Configuration:---

        Local network: 192.168.110.1

        Satellite Facility Site-to-Site VPN Client:
        IPv4 Tunnel Network: 192.168.90.0/30
        IPv4 Remote network(s): 192.168.110.0/24 192.168.10.0/24, 192.168.80.0/24
        Custom options: route 192.168.10.0 255.255.255.0;

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B Offline
          buomque
          last edited by

          Hi Derelict,

          I followed your last post, and kind of get it to work.

          I create a new interface for 192.168.90.0/30 tunnel, called Site-To-Site
          I create a new interface for 192.168.80.0/24 tunnel, called Remote Access

          In Satellite Facility, I have some servers which use 172.16.16.0/24 block.

          My laptop is using 192.168.80.0/24 tunnel to connect to Main Facility Remote Access VPN Server

          Now, I am having trouble to connect to 172.16.16.0/24 from my laptop. Would you show me a way to get this to work?

          Thank you,

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            You should probably start a new thread.

            But in general you probably need to add 192.168.80.0/24 to the Remote Networks on the Site-to-Site tunnel at the side with the 172.16.16.0/24 network so it knows how to route back to it.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.