OpenVPN - Gateways on server are not used

hebein

Hello,
I have installed a OpenVPN client on my laptop.
I can perfectly connect to the server and access all IPs on the server side LAN, exept one: For a special IP, I have installed a Gateway on my Sg-5100.
Traffic for this special IP is routed to the Gateway.

I added to the client's config that special IP, but I cannot neither reach that IP, nor can I ping the IP of the gateway from my client. In the Serverside LAN everything works fine.

In the config of the server there is set:
IPv4 Local network(s): 10.139.0.0/16,10.200.136.82/32
where 10.200.136.82 is the special IP I need for special purposes.

Anyone any idea what is wrong here?

Regards,
Gunther

viragomann

Would you provide a drawing of you network? Don't get which role has the SG and the gateway in your set up.

hebein

![alt text]( Skizze (5).png image url)

viragomann

So the special IP you mentioned above as 10.200.136.82 is the 10.200.x.y in your drawing?
And the corresponding gateway is 10.139.1.20/32?
The device won't communicate with that gateway since it is not in it's network range. So network settings on these devices?

hebein

Hi, these are the settings. Works good on local network, but not on Client connected via openVPN.
The adress 10.200.136.82 is a router from an external provider, where we have to route some "special" traffic.

Unbenannt.1.JPG

viragomann

To get it right, is there only one pfSense or is 10.139.13.20 a second one to connect that router?
Does the router use a special upstream gateway or goes its default route over the pfSense providing the OpenVPN server?

hebein

there is only one pfsense in this network, the 10.139.13.20 ist the adress of the router. it is in the LAN. so there is a route in pfsense with traffic for destination 100... nexthop 10.139.13.20.
Works well for traffic to 100... in the LAN, but not for traffic that comes from my laptop via OpenVPN.
can it be, that traffic via openvpn is directly sent to the lan, without checking/seeing pfsense the route entry to hop traffic for 100... to 10.139.13.20?

viragomann

No, the static route is applied to the OpenVPN traffic as well.

But the providers router may not have a route for the OpenVPN tunnel network. So I guess, its default route is not passing pfSense?
If that's the case, you either have to add a route for the tunnel network to it, pointing to pfSense or do NAT on pfSense for traffic the the network behind the router.
Another reason may be that access from the VPN tunnel is blocked. This can also be circumvented by NAT.