OpenVPN Routing Advice Needed

  • Hello! I have a VPN client (lets call it client A) that connects to my VPN server with every other client. Client A is special because its traffic needs to exit through another client connected to the same OpenVPN server server (this client is another pfSense machine and we shall call it client B).

    I tried a policy routing rule for the traffic from client A to go through a gateway that is client B. The problem was that my VPN server had the default route out the server's WAN not client B's WAN. When client A connected it couldn't get to the Internet at all.

    I went ahead and setup a second VPN server on the same pfSense box and resetup client A and client B on the new server instance (to clarify client B is now connected to both VPNs). I had client A set to policy route to client B then out client B's WAN. It kinda worked. UDP and ICMP worked but not TCP. I was getting a lot of TCP:SA blocks in the firewall logs. I tried to fix this by enabling bypass firewall on same interface but it didn't help.

    Anyone have an idea how to fix this or a better way to accomplish this?

  • Hi,

    i have this problems too. Routing between different ovpn tunnels is not that easy. I saw some old posts, where the solution posted was to assign an interface to the tunnel and direct the traffic with policy routing into the next tunnel. Didnt try that, but i think you should give that a try. Pls report back.

  • @pete35 I did give that a try. I can assign the VPN and interface on the server and make a policy route on the server for client A to client B then on client B for client A to WAN. This is how I am getting ICMP and UDP to work. I just can't get TCP. I think it has to do with asymmetric routing with client B being connected to two VPNs on the same physical server.

  • Apart from that, you also have to add an outbound NAT rule for packets coming from client A and going into the tunnel for client B.
    Firewall > NAT > outbound

    Ensure that your outbound NAT is in hybrid or manual mode.
    Add a new rule:
    interface: that one you've assigned to the server which client B connects to
    source: tunnel network of A
    destination: any
    translation: interface address

  • @viragomann I have a NATrule on client B that anything coming from a private IP leaving the WAN will be natted to it's WAN IP. I went ahead and tried your suggestion in case but no change. I just come from a different IP in the subnet.

  • You need both NAT rules, that one on client B and that one on the server.

    Alternatively to that NAT rule I suggested above, you can push the route to the tunnel of client A to client B by adding the tunnel network to the "IP local network/s" in the server settings.

  • @viragomann When I added the NAT rule you suggested I left the other NAT rule. It didn't help. I took a look at the routing rules and eventhing is correct. Both now have the explicit routing rule but no change.

Log in to reply