PfSense OpenVPN > Ubiquiti USG > LAN not routing properly



  • Recently I added a Ubiquiti USG to my setup, behind pfsense and in front of my LAN.  Current layout looks like this:

    PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN

    I have a static route in pfsense from 10.42.9.0/24 to 10.42.8.0/24 via 10.42.9.12.  NATting is disabled on the USG.

    I'm currently able to connect to openvpn on pfsense and access anything in the 10.42.9.0 net, but nothing in the .8.0/24.  I've read extensively (though, admittedly, not fully comprehended) how to add routes to the openvpn config on the server / client side but I still cannot hit anything in 8.

    Configs:

    Disclaimer–I've done a lot of tweaking here... between multiple attempts at this and a lack of complete understanding, there may be some glaring mistakes here...

    server1.conf:

    dev ovpns1
    verb 5
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local <ip>tls-server
    server 10.90.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    verify-client-cert none
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user <hash>false server1 1194" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls '<dns>' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "dhcp-option DNS 10.42.9.205"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM
    persist-remote-ip
    float
    topology net30
    push "route 10.42.8.0 255.255.255.0 vpn_gateway"
    push "redirect-gateway def1"
    route 10.42.8.0 255.255.255.0</dns></hash></ip> 
    

    client:

    push "redirect-gateway def1"
    iroute 10.42.8.0 255.255.255.0
    
    

    Any idea what i'm missing?  I'm starting to lose it..



  • Figured it out – it was my USG WAN-IN interface FW -- blocking all traffic.  I thought I had this off but I was incorrect.



  • @boelter said in PfSense OpenVPN > Ubiquiti USG > LAN not routing properly:

    PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN

    Wow, does this actually work with DPI stats in the Unifi controller? Do you have any VLANs behind there? I.e., can the pfSense do the VLAN routing and let the USG just be a "dumb" router/bridge?


Log in to reply