Routing OpenVPN clients over IPSEC to secondary site, and reaching LAN at the same time



  • Hi.
    Have been searching the forums and have read quite a lot of useful posts, but haven't been able to sort out a working solution yet.

    The problem is boiling down to get OpenVPN clients to reach both a secondary site over IPSEC and also reaching the LAN of the pfSense.

    I have the following network topology set up:

    • pfSense v2.4.3-p1 with two NICs, one WAN and one LAN
    • pfSense LAN 10.112.0.1/24, and an official IP address on WAN
    • OpenVPN clients gets addresses in 10.251.16.0/24
    • IPSEC to secondary site with remote subnet 10.112.0.0/14

    This is working ATM:

    • OpenVPN clients (10.251.16.0/24) successfully connect to the firewall and can communicate with servers in LAN (10.112.0.1/24)
    • IPSEC is working and servers in LAN (10.112.0.1/24) can communicate with resources in secondary site (10.112.0.0/14)

    To get OpenVPN clients to communicate over IPSEC to secondary site I have found out that it's required to add another Phase 2 over the IPSEC tunnel. The problem arises when I add another Phase 2 to the IPSEC tunnel (Local subnet 10.251.16.0/24 and Remote Subnet 10.112.0.0/14). OpenVPN clients then loses connectivity to the LAN (10.112.0.1/24).

    I really don't know what causes this. Could it be a routing problem because the secondary site (10.112.0.0/14) actually is a supernet where the LAN (10.112.0.1/24) have a defined c-class subnet inside this supernet?

    My suspicion is that traffic from OpenVPN clients to the LAN (10.112.0.1/24) hit the pfSense and instead of being routed to the LAN is sent over the IPSEC to the remote site.

    Is there any way to solve this using the existing network addresses or is the only option to redesign the LAN with another IP range?

    Thanks in advance.


  • LAYER 8 Global Moderator

    Yeah your overlap is going to be a huge problem.. You need to change your lan to not be inside that remote network.



  • Thanks,
    a lot for your answer @johnpoz.

    This clarifies my suspicion.

    Wish you a great Sunday!



  • So i am having a similar issue i have the following. I have 9 Sites all connected via IPSEC VPN. these connections are working
    perfectly. the issue is that if i want an OpenVPN remote client to access the Network they can only see the lan that they are connected to i.e. that site they connected to. i have network resources at site A and B that they need to reach.

    site A: 10.3.0.0/20
    site B: 10.8.0.0/22
    openvpn: 10.2.1.0/24

    OpenVPN Client connect to site B VIA a Radius and two factor auth. this works great and they can access the file server.
    but they cant access site A: were the mail server and reaming server services are.

    i added the Open VPN Network to Phase2 of Site A's tunnel but never seams to connect it... ??? any ideas why.

    any help here would be great thanks.



  • Hi @tsho_admin
    To get routing working back to your OpenVPN clients you need to add the Phase 2 on both site A and site B firewall.

    Site B also need routing to 10.2.1.0/24. In addition to this you need to push routes for 10.3.0.0/20 and 10.8.0.0/22 to your OpenVPN clients.

    Good luck!



  • ok i understand that i need to add

    OpenVPN 10.2.1.0/24 to Phase 2 on site B but what do i add to site A the same IP range?
    Site A Phase 2 already has Site B in it.



  • @tsho_admin
    Yes, you need to add 10.2.1.0/24 to the phase 2 on site A as well, so that the IPSEC tunnel is aware of the addresses for the OpenVPN network.


Log in to reply