OpenVPN Site to Site Routing

tehmischi

Hi there,

I'm basically trying to set up two site to site VPNs to the main network. I think it's probably a routing problem, but I have tried working it out for a few hours now and I'm not making any progress.

I have the following setup:

main network (192.168.190.0/24)
site 1 (192.168.1.0/24)
site 2 (192.168.2.0/24)

It basically looks like this.

client1                                                                                                                                                            client3
  |                                                                                                                                                                      |
pfsense (site1) -> tunnel (10.0.7.0/24) -> pfsense (main) <- tunnel (10.0.6.0/24) <- gateway (site2) <- pfsense (site2)
  |                                                                                                                                                                      |
client2                                                                                                                                                            client4

I've set up two shared key site to site VPNs on the main pfsense and can connect to both of those with both sites respectively.

Everything works as expected on site1, client 1 and 2 can access the main network.

However on site2 the clients can't access the main network. I can ping the main network from the pfsense box on site2, but the clients can't. The setup is exactly the same as on site1 (except the different tunnel network and remote network on the VPN server obviously).
I assume this is some issue with routing and having another gateway in between the tunnel and the pfsense as this is the only difference between the sites?

I would really appreciate if someone could help me out here or point me in the right direction.

viragomann

@tehmischi:

I assume this is some issue with routing and having another gateway in between the tunnel and the pfsense as this is the only difference between the sites?

Another default gateway as the vpn endpoint. (Why?)

If the set up should stay like this, you can get it work by adding static route for the main office network to the site 2 clients.

Derelict

One of the nice things about OpenVPN is that clients can be behind other routers with generally no problems.

If the tunnel is coming up and the site2 pfSense has a route for 192.168.190.0/24 into the ovpncX interface, then that is configured correctly.

If that is the case I would check the firewall rules for OpenVPN at main to be sure they pass the traffic.

If they do I would check the firewalls on the main hosts themselves to be sure they are not blocking the traffic.