OpenVPN Multiple Site to Site routing

andres1550

Hello, I have configured two sites with OpenVPN Multiple Site to Site, the communitation between this sites is OK but from other client VPN the communication is not possible. My arquitecture is:

Site A: LAN 10.10.140.0/24
Tunnel Network: 10.10.212.0/24

Site B: LAN 10.11.140.0/24
Tunnel Network: 10.10.212.0/24

The inter-communication between Site A to Site B is OK.

In the same Site A, I have configured another instance VPN Server to clients (windows stations), I can connect to network Site A OK, but when I try to connect to Site B from this instance I cant doit.

Site A Clients Windows: LAN 10.10.140.0/24
Tunnel Network: 10.10.210.0/24

That I have to do?

Thanks So Much
![Falla VPN Clients to Site B.png](/public/imported_attachments/1/Falla VPN Clients to Site B.png)
![Falla VPN Clients to Site B.png_thumb](/public/imported_attachments/1/Falla VPN Clients to Site B.png_thumb)

viragomann

You have to add the site B LAN subnet to the "IPv4 Local Networks" in the access server config to get the route pushed to the clients.

andres1550

I have already configured this, but is not possible. The client connected from VPN in site A not view or reach the site B.

Please see the image attached. After configure, my workstation gets the routes. but still you can not see the Site B using ping or other test.

Captura.PNG_thumb

viragomann

Okay, maybe it depends on the site-to-site config. In return you have also to tell site B to route traffic destined to the access servers tunnel to site A.

So go to site B OpenVPN settings for the site-to-site tunnel and add the clients tunnel subnet 10.10.210.0/24 to the "IPv4 Remote Networks".

andres1550

The traffic between Site A and Site B in both directions is ok, the communication is ok.

But when the workstation has been connected to VPN to Site A, can reach Site A, but Site B not.

Remember the workstation use other instance VPN in Site A., in field local network for this instance I set the networks of site B.

Is something missing from the instance that allows workstations VPN route to the VPN instance does the site to site.

viragomann

The setting for the site-to-site I've suggested above is necessary anyway for correct routing.

Look, if you try to access a LAN device on site B from a VPN client on site A, the packet is sent to the site A pfSense, cause of the route which is pushed to the client. Site A directs the packet to site B, cause it also has a route for the site Bs LAN. The packet reach the device on site B, which send its response addressed to an IP in 10.10.210.0/24 back to its default gateway which is site B pfSense. If there is no special route for 10.10.210.0/24 the gateway will send the packet to its upstream gateway, thus to the internet where the packet will be dropped, cause the destination subnet is not routed there.
Therefor you need a route on site B which direct packets destined to 10.10.210.0/24 back over site-to-site tunnel to site A.