Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense OpenVPN > Ubiquiti USG > LAN not routing properly

    OpenVPN
    2
    3
    1434
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boelter last edited by

      Recently I added a Ubiquiti USG to my setup, behind pfsense and in front of my LAN.  Current layout looks like this:

      PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN

      I have a static route in pfsense from 10.42.9.0/24 to 10.42.8.0/24 via 10.42.9.12.  NATting is disabled on the USG.

      I'm currently able to connect to openvpn on pfsense and access anything in the 10.42.9.0 net, but nothing in the .8.0/24.  I've read extensively (though, admittedly, not fully comprehended) how to add routes to the openvpn config on the server / client side but I still cannot hit anything in 8.

      Configs:

      Disclaimer–I've done a lot of tweaking here... between multiple attempts at this and a lack of complete understanding, there may be some glaring mistakes here...

      server1.conf:

      dev ovpns1
verb 5
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local <ip>tls-server
server 10.90.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
verify-client-cert none
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user <hash>false server1 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls '<dns>' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DNS 10.42.9.205"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology net30
push "route 10.42.8.0 255.255.255.0 vpn_gateway"
push "redirect-gateway def1"
route 10.42.8.0 255.255.255.0</dns></hash></ip>

      client:

      push "redirect-gateway def1"
iroute 10.42.8.0 255.255.255.0

      Any idea what i'm missing?  I'm starting to lose it..

      1 Reply Last reply Reply Quote 0
      • B
        boelter last edited by

        Figured it out – it was my USG WAN-IN interface FW -- blocking all traffic.  I thought I had this off but I was incorrect.

        1 Reply Last reply Reply Quote 0
        • M
          msf2000 last edited by

          @boelter said in PfSense OpenVPN > Ubiquiti USG > LAN not routing properly:

          PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN

          Wow, does this actually work with DPI stats in the Unifi controller? Do you have any VLANs behind there? I.e., can the pfSense do the VLAN routing and let the USG just be a "dumb" router/bridge?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post