Selective routing and selective internet routing

  • I have a site to site vpn set up that accesses the remote subnet just fine. this is accomplished by using route commands in client overrides as different ones go to different subnets. My problem is I want to add one internet route to go through the tunnel also.

    So it would be from client vpn tunnel, to server tunnel, to intranet and back again.

    The iroute to the client side works fine so I can ping both ways. The intranet address with the route command gets routed through the tunnel but does not make it back. It has dns resolution to the ip. Just tracert never makes it past the server vpn address. Any ideas?

  • LAYER 8 Netgate

    Might be the need to have Outbound NAT in place for the OpenVPN client source address out WAN. When you use "Remote Networks" in the server config, Automatic Outbound NAT has something to look for. When you use route commands and push route commands in the advanced and client-specific settings it has no idea what's where.

  • Thank you for your suggestion.
    openvpn net 77.0
    local 35.0
    openvpn client acutal network 1.0

    there is an auto added rule in outbound nat for the the 77.0 network going to the internet address. Are you saying we should try to add one for the 1.0 network also?

    From the pfsense you can ping internet stuff using the openvpn network in diagnostic tools.

    The only other thing I can think of is I did not add an interface for the openvpn connection. Everything local works fine, just no internet resolution.

  • LAYER 8 Netgate

    If the traffic is leaving WAN sourced from 1.0 you need an outbound NAT rule for it.

  • EDIT
    After setting it to wan interface instead of openvpn after thinking about it for a while it works.

    thank you very much for your help

    Thank you again for your suggestion.
    I added a outbound nat rule of
    coming from vpn interface THIS WAS WRONG
    with a source of 1.0/24
    any any any
    destination vip

    still nothing

  • LAYER 8 Netgate

    Yeah. Outbound NAT on WAN. Good deal.

Log in to reply