OpenVPN site-to-site routing question



  • I have successfully configured a site-to-site VPN using OpenVPN with TLS.  Both sides can reach the other's LAN so all is good there.

    The server side of this configuration lives in a data center and our cloud provider is configured to only allow management connections (SSH, etc) from the data center's IP.  So I'd like to route traffic destined for our cloud provider through the tunnel so the remote office can access our cloud infrastructure.

    I added push "route XXX.XXX.0.0 255.255.0.0" (the subnet of our region) to the Client Specific Override and that seems to work - if I open a shell on the client pfSense box, "netstat -rn" shows me the proper route through the tunnel.  And, further confirming that it is working, I can ssh from the client pfSense box to our cloud provider!

    BUT… clients on the client-side LAN cannot reach the cloud provider.  I don't see any firewall log entries on either side and a packet capture shows their traffic going through the tunnel but no connection can be made.

    What other routing do I need to add to make this work?

    Thank you!



  • A site-to-site connection neither needs a client specific override nor a "push route" command, rather an iroute command. Pushing routes only make sense on an access server and a CSO only if you have multiple client connections.

    Just add the cloud IP to the "remote networks" in the client settings.
    If the cloud has no route back to the clients LAN, you have to set an S-NAT rule on the server site for the client-cloud connection.



  • @viragomann:

    If the cloud has no route back to the clients LAN, you have to set an S-NAT rule on the server site for the client-cloud connection.

    Ah ha!  This was the missing piece.  I added an outbound NAT rule for the remote LAN on the WAN interface and that completed the route.

    Thanks!


Log in to reply