mesh openvpn network doesn't route openvpn clients to remote networks



  • Hi. Routing issues here.

    I've got 6 sites. In a mesh openvpn setup. (I don't know if "mesh" is the word but its not a hub and spoke.) Each site opens a tunnel to every other site. Or listens for one. A simple /24 on each end point. With openvpn services enabled on all the endpoints that have a public IP with their own /24.

    Up till now, everyone offsite who wanted to see a resource in a site has just used an openvpn client to hit that particular location and read it locally (off the local LAN).

    And anyone at each of the physical locations has been able to route to the other end points.

    It's been working great for a few years.

    BUT....

    Two of those sites are located behind a non-public IP. So there is no way for an end user to openvpn connect to one of those servers to see my newly added resource behind it. The newly added resource being in-accessible to openvpn clients is now an issue.

    So it's time for me to solve the mystery of how-to-route for clients connecting to any of the vpn servers into any of the end points.

    I've read a bunch of docs and posts. Tried many things. But I'm nearing the danger level of trying config changes that will risk downtime. (None of these end points are even in the same state as I am.) I can't seem to google the right terms to find out how to do what I'm looking for. And the near guesses are leaving me in fear of breaking the routing that is there.

    Can someone give me a low down of where to add each of the other 5 remote subnets (and likely where to add the source subnet to the remote end) so that the traffic will route? Before i blow everything up trying to guess at this.

    I'm hoping this is just a thoroughly documented setup that I just can't find.

    Thanks!



  • Maybe that was too many details and too vague. Here it is broken down into a small version of what I'm asking in a classy mspaint picture.

    network.png

    Site A (10.0.1.0/24) can talk to Site B(10.0.2.0/24), and vice versa.
    OpenVPN clients (192.168.1.0/24) can talk to everything in Site A (10.0.1.0/24).
    OpenVPN clients (192.168.1.0/24) can not talk to anything on Site B (10.0.2.0/24).

    I want OpenVPN clients to talk to resources on Site B.

    I feel like the key is in the IPv4 Remote networks:

    Site A site2site server:
    0dd10ebb-f119-4d24-b862-c2e4d9663972-image.png

    Site B site2site client:
    69b8bc12-80e9-4066-835e-6208d481dde1-image.png

    Site A openvpn server:
    113de543-3f09-4caf-9444-8f51be523f12-image.png

    FYI - i did put in the Site B 10.0.2.0/24 into IPv4 Local network(s) at one point on the openvpn service (for mobile clients) and that did push a route to the openvpn mobile clients, it still didn't route traffic. I believe I'm missing something in Site B's networks.

    So, what should I add to what pfsense to get these to route correctly.



  • Well, i figured it out.

    I was doing the logical thing by adding the remote network to each side (Site B) and to the OpenVPN service (hosted on Site A). And that wasn't working.

    So I started messing around with the openvpn firewall. Turns out that you need an additional explicit route on the mobile client server config.

    Source: openvpn mobile client subnet (192.168.1.0/24 in this example)
    Destination: any

    Now the traffic routes. I'm sure that is documented somewhere but i couldn't come up with the right search phrase. I only figured it out with lucky guesses.

    Now those lucky bastards on OpenVPN Client can see the network resources on Site B. (And much more since this is a mesh setup.)


Log in to reply