Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    mesh openvpn network doesn't route openvpn clients to remote networks

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 1 Posters 233 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tedly
      last edited by

      Hi. Routing issues here.

      I've got 6 sites. In a mesh openvpn setup. (I don't know if "mesh" is the word but its not a hub and spoke.) Each site opens a tunnel to every other site. Or listens for one. A simple /24 on each end point. With openvpn services enabled on all the endpoints that have a public IP with their own /24.

      Up till now, everyone offsite who wanted to see a resource in a site has just used an openvpn client to hit that particular location and read it locally (off the local LAN).

      And anyone at each of the physical locations has been able to route to the other end points.

      It's been working great for a few years.

      BUT....

      Two of those sites are located behind a non-public IP. So there is no way for an end user to openvpn connect to one of those servers to see my newly added resource behind it. The newly added resource being in-accessible to openvpn clients is now an issue.

      So it's time for me to solve the mystery of how-to-route for clients connecting to any of the vpn servers into any of the end points.

      I've read a bunch of docs and posts. Tried many things. But I'm nearing the danger level of trying config changes that will risk downtime. (None of these end points are even in the same state as I am.) I can't seem to google the right terms to find out how to do what I'm looking for. And the near guesses are leaving me in fear of breaking the routing that is there.

      Can someone give me a low down of where to add each of the other 5 remote subnets (and likely where to add the source subnet to the remote end) so that the traffic will route? Before i blow everything up trying to guess at this.

      I'm hoping this is just a thoroughly documented setup that I just can't find.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • T
        tedly
        last edited by tedly

        Maybe that was too many details and too vague. Here it is broken down into a small version of what I'm asking in a classy mspaint picture.

        network.png

        Site A (10.0.1.0/24) can talk to Site B(10.0.2.0/24), and vice versa.
        OpenVPN clients (192.168.1.0/24) can talk to everything in Site A (10.0.1.0/24).
        OpenVPN clients (192.168.1.0/24) can not talk to anything on Site B (10.0.2.0/24).

        I want OpenVPN clients to talk to resources on Site B.

        I feel like the key is in the IPv4 Remote networks:

        Site A site2site server:
        0dd10ebb-f119-4d24-b862-c2e4d9663972-image.png

        Site B site2site client:
        69b8bc12-80e9-4066-835e-6208d481dde1-image.png

        Site A openvpn server:
        113de543-3f09-4caf-9444-8f51be523f12-image.png

        FYI - i did put in the Site B 10.0.2.0/24 into IPv4 Local network(s) at one point on the openvpn service (for mobile clients) and that did push a route to the openvpn mobile clients, it still didn't route traffic. I believe I'm missing something in Site B's networks.

        So, what should I add to what pfsense to get these to route correctly.

        1 Reply Last reply Reply Quote 0
        • T
          tedly
          last edited by tedly

          Well, i figured it out.

          I was doing the logical thing by adding the remote network to each side (Site B) and to the OpenVPN service (hosted on Site A). And that wasn't working.

          So I started messing around with the openvpn firewall. Turns out that you need an additional explicit route on the mobile client server config.

          Source: openvpn mobile client subnet (192.168.1.0/24 in this example)
          Destination: any

          Now the traffic routes. I'm sure that is documented somewhere but i couldn't come up with the right search phrase. I only figured it out with lucky guesses.

          Now those lucky bastards on OpenVPN Client can see the network resources on Site B. (And much more since this is a mesh setup.)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.