Site to Site VPN with client routing.



  • Home 172.16.10.x/24
    DC1 10.0.1.x/24
    DC2 172.16.40.x/24

    Ok so I have PFsense in these locations and they are all connected via the site to site to home. I also have client-side VPN that I can use from my laptop. Here is what I'm trying to figure out. I would like to connect to DC1 and then access resources at the home DC. So the connection would look like

    Laptop > DC1 > Home resource.

    My VPN knows to carry it over the tunnel based on traceroute but it seems like the firewall doesn't know what to do with it.

    Any help would be appreciated.



  • My VPN knows to carry it over the tunnel based on traceroute but it seems like the firewall doesn't know what to do with it.

    So you are seeing drops at your firewall log? Can you show up some?



  • I am running into the same issue

    Site A: 10.0.1.0/24
    Site B: 10.4.1.0/24
    Clients: 10.2.0.0/24

    Setup:
    Clients <–> Site B <--> Site A

    Site B <-- > Site A is working perfectly both directions
    Clients --> Site B is working
    Clients can NOT access Site A resources at all

    From an OpenVPN policy perspective I have any to any on any address allowed (that should be full open across the board correct?)
    From an OpenVPN configuration I have tried both with an without pushing routes for Site A (neither works)

    I have a feeling I am missing something simple, just not sure what it is.  Any thoughts?  Or any recommendations on specific logging to look for?



  • Sounds like you are missing a route on Site A device to the client subnet, the site A device needs to be explicitly told to route client Subnet out via VPN to site B otherwise it will send the packets out the default route of Site A firewall aka not the correct tunnel. Also i take it "route print" on the clients shows SiteA subnet as being via VPN interface?



  • Thank you  8)