OpenVPN (tun) _ Routing?



  • Hello All

    I've, hopefully a little, Issue. At the moment i don't have any Ideas anymore how to resolve. Maybe you can help me.
    In the Image you see my Setup. My Issue is that the OpenVPN Users can't reach the other Network (192.168.168.0/24). If I do a tracert it will be stopped at 10.125.39.1 (the pfSense in the Tunnel). I've tried a lot with push route, etc. But nothing helped.

    Can you help me?

    Thank you very much!



  • Looks like you've 2 gateways in the network 192.168.168.0/24 and I guess pfSense is not the default gateway. Right?

    If it isn't, you will need static routes on the LAN devices to direct responses to vpn clients back to pfSense. Otherwise they are sent to the default GW. Or you do SNAT on pfSense, that would be easier to set up, but has also drawbacks.

    Why do you force all client traffic over the vpn?



  • Yes, together with the pfSense there are two GWs on the Network, but the pfSense is not in use. So the Default one is the SonicWall one (166.3).
    I've created Routes on the pfSense, but this was not helping. What's about SNAT on the pfSense? We're needing the pfSense just for the People Outside for the VPN - for nothing other. So why not?

    Force all traffic was just a test, it is not needed if I can resolve the thing with the 2 VPN Networks.



  • The routes have to be set on LAN devices you want to access from remote, not on pfSense.

    If you do SNAT pfSene translates the source address of packets from a vpn client to its own LAN address. So response packets from the LAN devices are sent back to pfSense without the need of static routes.
    The drawback here is that you're not able to determine the real vpn client on the destination device.

    To set up SNAT go to Firewall > NAT > Outbound. Set the mode to "hybrid" (guessing it's still at automatic) and save that.
    Add a new rule:
    Interface: LAN (or that one which faces to the dest. device)
    source: 10.125.39.0/24 (vpn tunnel)
    dest: any
    Translation address: interface address
    Enter a description and save it.



  • This is working, yes. Thank you.

    But I'm correct, only when I enable "Force all client-generated IPv4 traffic through the tunnel." because else, my external Device which connects over OpenVPN routes the Ping or Tracert for the other Network to the local WAN/Router where the external Device is based and not over the tunnel.



  • Maybe that's an issue of Viscosity.

    Usually the routes are pushed to the client when you enter the local network (192.168.168.0/24) in the "IPv4 local networks" box on the server settings tab.



  • okay, i'll check that again.

    Little other thing which i've frogot, but I think something similar.
    The CEO has a Site to Site at Home to the SonicWall. The second goal will be that we can use the OpenVPN Tunnel and he can reach stuff at home. It has something to do on the pfSense, because at the moment he can reach stuff from home in the office at both network and vice versa - so the tunnel it self and that routing is correctly.

    With your Help, i've tried the following.
    Added Outgoing NAT Rule before the Rule which i've added with your help.

    Interface = LAN
    Source = 10.125..39.0/0 (VPN Tunnel)
    Dest = 192.168.146.0/24 (Home of CEO)
    Translation Address = 192.168.166.3/32 (SonicWall LAN IP)

    But when I do a tracert, pfSense is routing the Request to the WAN and it wants to go outside.



  • The translation address has to be the address of the pfSense interface which faces to the SonicWall.
    If it is a separate interface, so just set it to "interface address" again.



  • So i can use the Interface Address because the LAN Interface (166.4) is on the same LAN then the SonicWall IP (166.3).
    And i can delete this seperate Rule, because it would be the same has the before with your Help (with the Dest = any). But atm pfSense is routing this request outside (over WAN).



  • Yeah, you will also need a static route on pfSense for the CEOs home.

    In System > Routing add the SonicWall IP facing to pfSense as gateway. Then add a static route for the CEOs home network pointing to this gateway.

    You will also have to add the CEOs home network to "Local networks" in the OpenVPN server settings if you uncheck "redirect gateway", of course.
    If only the CEO should be able to access that network add a CSO for him and allow the access for his vpn IP in a firewall rule.



  • Perfect  :) It is working everything now. THANK YOU.

    About the Thing with "Force all client-generated IPv4 traffic through the tunnel." Is also fixed, i've forgot to enter every Network on the other Side (those two Office LAN and CEO LAN). When I've done that, it was working without checked "Force all client-generated IPv4 traffic through the tunnel."

    Thank you.

    // COLSE


Log in to reply