OpenVPN Site-to-Multi-site setup Communication Issue
- 
 Hi guys, I really need some assistance… this driving me nuts :( I'm in the process of upgrading our VPN setup to an OpenVPN Site-to-Multi-site setup. Currently experiencing difficulties with getting all sites to communicate with each other AND allowing VoIP traffic among all sites. 
 Current Setup HQ 
 LAN1: 192.168.0.0/24
 LAN2: 10.1.0.0/24VPN (Metronet from ISP; Static routing in pfSense) 
 VPN Route 1: 10.1.0.252/24
 VPN Route 2: 10.1.0.253/24Branches (Route 1) 
 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.13.0.0/24Branches (Route 2) 
 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.12.0.0/24, 10.14.0.0/24Static Routing 
 Network Gateway Interface
 10.2.0.0/24 10.1.0.253 LAN2
 10.3.0.0/24 10.1.0.253 LAN2
 10.4.0.0/24 10.1.0.253 LAN2
 10.5.0.0/24 10.1.0.253 LAN2
 10.6.0.0/24 10.1.0.252 LAN2
 10.7.0.0/24 10.1.0.252 LAN2
 10.8.0.0/24 10.1.0.252 LAN2
 10.9.0.0/24 10.1.0.253 LAN2
 10.10.0.0/24 10.1.0.253 LAN2
 10.11.0.0/24 10.1.0.253 LAN2
 10.12.0.0/24 10.1.0.252 LAN2
 10.13.0.0/24 10.1.0.253 LAN2
 10.14.0.0/24 10.1.0.252 LAN2
 –---New Setup HQ 
 LAN: 192.168.0.0/24
 OpenVPN Servers (Shared Key)
 Server 1
 Tunnel: 172.16.2.0/30
 Remote: 10.2.0.0/24
 Server 9
 Tunnel: 172.16.10.0/30
 Remote: 10.10.0.0/24
 Server 13
 Tunnel: 172.16.14.0/30
 Remote: 10.14.0.0/24
 Server 14
 Tunnel: 172.16.15.0/30
 Remote: 10.15.0.0/24
 Firewall Rules
 WAN: Allow respective ports assigned to OpenVPN servers and clients
 OpenVPN: Any to AnyBranches 
 Client 1
 LAN: 10.2.0.1
 Tunnel: 172.16.2.0/30
 Remote: 192.168.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24, 10.15.0.0/24
 Firewall Rule
 OpenVPN: Any to AnyClient 9 
 LAN: 10.10.0.1
 Tunnel: 172.16.10.0/30
 Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24, 10.15.0.0/24
 Firewall Rule
 OpenVPN: Any to AnyClient 13 
 LAN: 10.14.0.1
 Tunnel: 172.16.14.0/30
 Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.15.0.0/24
 Firewall Rule
 OpenVPN: Any to AnyClient 14 
 LAN: 10.15.0.1
 Tunnel: 172.16.15.0/30
 Remote: 192.168.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24
 Firewall Rule
 OpenVPN: Any to Any–---- What you see above in the new setup are the enabled sites. Their respective static routes were disabled. As you can see with Client 14, a new subnet was added to the list. It connected and worked flawlessly. All workstations and VoIP devices behind the client was able to communicate with all the other devices at the other sites. The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2. Tricky thing is that the firewalls at these sites are able to ping all other sites and subnets. So while troubleshooting, I figured NAT may be the problem, but it's only a problem with the subnets that were once a part of a static route in the current setup. With Auto Outbound NAT selected, the workstations ARE NOT ABLE to ping and VoIP devices have NO audio on either end. With Manual Outbound NAT selected and the OpenVPN interface added, the workstations WERE ABLE to ping and VoIP devices were unable to connect to the Call Server. With Hybrid Outbound NAT selected with OpenVPN interface being the only manually added setting, the workstations WERE ABLE to ping and VoIP devices were unable to connect to the Call Server. The PBX ports were allowed on the WAN interface of all 3 clients, but problem persists. The VoIP devices is a PBX setup with Avaya IP Office Manager. 
- 
 Why are the tunnel networks on your server /30 but /24 on all the clients? 
- 
 Why are the tunnel networks on your server /30 but /24 on all the clients? That was a mistake on my part. Adjusted. 
- 
 The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2. Please be more specific. Please use specific source and destination addresses. I have no idea what "route 1" and "route 2" are. 
- 
 The workstations behind clients 1, 9 and 10 are all experiencing the same problem: they are unable to ping the subnets that are on their past VPN route. There's also no audio with the VoIP devices. So the workstations behind 10.10.0.0/24 are unable to ping all subnets on route 1. The workstations behind 10.14.0.0/24 are unable to ping all subnets on route 2. Please be more specific. Please use specific source and destination addresses. I have no idea what "route 1" and "route 2" are. The routes were specified above. Current Setup HQ 
 LAN1: 192.168.0.0/24; LAN2: 10.1.0.0/24VPN (Metronet from ISP; Static routing in pfSense) 
 VPN Route 1: 10.1.0.252/24
 VPN Route 2: 10.1.0.253/24Branches (Route 1) - Static Routes 
 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.9.0.0/24, 10.10.0.0/24, 10.11.0.0/24, 10.13.0.0/24Branches (Route 2) - Static Routes 
 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/24, 10.12.0.0/24, 10.14.0.0/24
- 
 It still makes no sense. What is "Static routing network" and how does it work with the OpenVPN tunnels? I might need a picture. I don't immediately see the topology based on your description. See dig for a diagram with the sort of information that makes it easy for someone to help you. 
