Configure remote OpenVPN user client access to remote network that is available over IPsec site to site vpn
-
What is working :)
- Site to Site
- OpenVPN Clients to Pfsense A
What is not working :(
- OpenVPN client when connected to Pfsense A cannot access remote network on Pfsense B
- Machines from Pfsense B network cannot access OpenVPN clients
I found another thread where someone has a similar issue. I added all the recommendations from that thread although had no resolved conclusion.
Hopefully this thread will serve as a well documented success for other with this scenario.
Here is the current layout:
For both Pfsense A and Pfsense B, I have noted an issue that arose while implementing all the suggestions from the other thread. There was a single issue on each Pfsense instance
-
Well, I have just got it working. The solution may be very specific to my scenario.
First, I need to go through and test all the individual changes I made to ensure each one was needed, remove the cruft that was not needed and I will post the final solution here there after.
What I had to do in this scenario was go Pfsense A, go to advance settings of IPsec, From there:
Auto-exclude LAN address Enable bypass for LAN interface IP Exclude traffic from LAN subnet to LAN IP address from IPsec.This box was checked by default.
I cleared it and traffic is now working both ways.
I suspect what mattered here was the fact that Pfsense A didn't have a LAN subnet, and OpenVPN client subnet may have been seen as a LAN by this rule. I am sure one of the Pfsense developers could provide an explanation.
Now I just need to check all the routes, rules, Phase 2 parts to ensure they are needed.