Routing OpenVPN Clients to Tinc VPN



  • Dear all,

    I have 5 locations, all running pfSense 2.3.4 and all sites are connected now through Tinc VPN Site2Site (before IpSEC) which works great.
    External users are connecting through OpenVPN to my main site which is also working well.
    External users can access ressources in the main site but I can´t figure out how to route them into the other sites with Tinc more exact how to reverse route form the other sites to the OpenVPN network. With IpSEC i used an additional Phase 2 to accomplish this and of course I pushed the routes to the other networks in OpenVPN.

    Simplified with only main site and one branch:

    OpenVPN Client network    –>  Main Site    <--->  Branch Office

    192.168.55.128/27            --> 192.168.56.0/24    <--->  192.168.86.0/24

    What I want to achieve is, that OpenVPN Clients can access ressources in Branch Office while connected to main site.

    Thanks in advance.
    Ivo



  • You have to add a subnet line with the OpenVPN tunnel network to the main sites Tinc config file.



  • Thank you very much…

    That works but only of i edit the file directly... or do you know a way how to enter more subnets in the GUI? And the file is always reset as soon I change something in the GUI and I need to edit it again.

    Ivo



  • Found it…. additional subnet can be added in "Extra host parameters"

    Thanks again.
    Ivo



  • I was asked to accomplish this exact task for my company. After playing around with it, I came up with the following details:

    1. "Subnet = 172.16.2.0/24" goes into the "Extra Host Parameters" advanced area of the tinc configuration in the main site's pfsense
    2. "route add -net 172.16.2.0/24 192.168.0.1" goes into the "Host Up Script" area of the tinc host configuration for the main site in the branch site's pfsense

    The actual subnets and IPs above should be changed to the appropriate ones for your environment.

    I hope this helps anyone who needs to accomplish the same kind of thing.


Log in to reply