PFSense 2.4.4. wtih Open VPN



  • Hi,
    Currently we have a PFSense firewall 2.4.4-Release-p3. Its been running for a few weeks now without any problems and we have also installed and configured OpenVPN without any issues..
    We have IPsec site to site tunnels for another 9 sites...
    At the moment when I connect via OpenVPN I can only access resources on the Local subnet.
    In the Open VPN Server settings we have the local subnet of 172.16.2.0 but at the moment we have also added in various subnets at other sites we need to access via the VPN.
    I cannot access these subnets though...
    I have tried adding the IPv4 Tunnel network used by the vpn to the IPSec tunnels P2 settings for each site it needs to get to but this has made no difference.
    Also on the Open VPN Rules we have at the moment the default rule created when Open VPN was configured...
    Where should I be making changes to get the VPN routing working? Is it the P2 settings for each tunnel, open VPN Firewall rules or both of the above?
    Any help to point me in the right direction is much appreciated.
    Thanks



  • So if I understand you correctly, you want to access a subnet behind an IPSec VPN from the OpenVPN clients subnet, right?

    An explanation would be more clear if you tell us concrete subnets.



  • Hi,
    Yes that's correct..
    The Open VPN Client ( network 192.168.91.0/24) connects okay to the LAN (172.16.2.0/24) of that PFSense server
    We have IPSEC Tunnels between other sites and I need this VPN Client to access resources at some of the other sites..
    I have added in the Open VPN Tunnel network (192.168.91.0/24) on the IPSec tunnel on the London PFSense to our Worthing LAN (10.190.36.0/24)
    And in the Open VPN Server settings it also has that Worthing LAN as one of the IPv4 Networks accessible...
    The Open VPN firewall rule in place at the moment is the default rule creating when using the open VPN Wizard, allow any port & source to any destination & port ( all protocols)

    Is there something else I am missing?



  • In the OpenVPN server settings you have to add all the remote networks (that are behind the IPSec VPNs) to the "Local Networks" and ensure that the client pulls routes.

    In the IPSec settings at pfSense and the remote site you have to add a phase 2 for each remote network. On local pfSense you put the OpenVPN tunnel in the local network box and the remote subnet in the remote box. On the remote device you set the networks contrarily.

    Also consider that the computers firewalls may block access from remote networks by default. So you will have to add rules to allow that access.



  • Hi Thanks yeah I had done all of that and it wasn't working.. However in the Open VPN Server advanced configuration I did add a push route for 10.190.36.0 255.255.255.0 and now I am able to communicate with resources on the Worthing LAN.
    So I am guessing this was the missing link...


Log in to reply