[SOLVED] Site to site with vps server

diegox80 · Oct 31, 2016, 8:53 PM

Good evening to you all!
I have the following topology for my vpn:

  192.168.100.10                                                                          192.168.101.21
+-------+                                                                                +-------+
|       |               192.168.100.1           10.8.0.1           192.168.101.1         |       |
|  CL1  +-------+        +----------+         +----------+          +-----------+    +---+  CL3  |
|       |       +--------+          |         |          |          |           +----+   |       |
+-------+                | pfsense1 +---------+  OvpnSrv +----------+  pfsense2 |        +-------+
+-------+       +--------+          |         |          |          |           +----+   +-------+
|       |       |        +----------+         +----------+          +-----------+    |   |       |
|  CL2  +-------+                        public_ip: 11.22.33.44                      +---+  CL4  |
|       |                                                                                |       |
+-------+                                                                                +-------+
  192.168.100.11                                                                         192.168.101.22

This is my server.conf


port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh4096.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

client-config-dir ccd
route 192.168.100.0 255.255.255.0
route 192.168.101.0 255.255.255.0

client-to-client
push "route 192.168.100.0 255.255.255.0"
push "route 192.168.101.0 255.255.255.0"

keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
user openvpn_server
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

From CL1 I can ping pfsense2 but not CL3 or CL4.
Same on the other side:
from CL3 I can ping pfsense1 but not CL1 or CL2

I'm very noob in pfsense and networking, but I think I have to configure rules or nat or something similar in pfsense 1 and 2.
Tanks

viragomann · Oct 29, 2016, 5:24 PM

Why you push both sites LAN subnet to the VPN client?

You haven't mentioned which site is the server and which is the client. But no matter, just enter the other sites LAN subnet in the "IPv4 Remote Networks" box in server and the client settings, no other.

diegox80 · Oct 29, 2016, 6:53 PM

Very tanks for reply.
The server is ovpnsrv that is a linode vps.
Pfsense1 and pfsense2 are both clients.
There are others vps that are openvpn clients in linode cloud: i want that all can see pfsense1 and pfsense2 subnet.

Your answer is valid however?
Tanks

viragomann · Oct 29, 2016, 8:37 PM

I see. I didn't notice the server in the middle of your graphic.

Yes, my answer above is valid anyway. But on the server you need also the iroute command for each client. Have you set these?

diegox80 · Oct 31, 2016, 8:53 PM

Thanks for the support!
After your advice routing was ok, but clients that are behind pfsense respond only to the ping…
no http, no ssh, nothing!!!!
I thought it was some sort of firewall rule, but the problem was that pfsense is on a VM (kvm on very old proxmox1.9):
solved with this
https://doc.pfsense.org/index.php/VirtIO_Driver_Support

Tanks