Firewall or routing issue with OpenVPN remote client
-
Hello Everyone,
I have an issue with my device, probably a configuration error.
Through an OpenVPN connection, this is working fine:
Computer 192.168.10.20 -> Teltonika RUT device 192.168.10.1 -> OpenVPN tunnel 192.168.93.0 -> PfSense 192.168.2.1 -> Computers in the networkThe Teltonika device got an IP from the PfSense, 192.168.93.1
I can ping the Teltonika device from the PfSense. The Teltonika can ping any computer in the 192.168.2.0/24 network.The problem is that I can't ping the device connected to the Teltonika, 192.168.10.20 and all the other. Basically the 192.168.10.0/24 network is not reachable from 192.168.2.1 and by so 192.168.2.0/24
I've manually tested 2 different routes on the PfSense:
route add -net 192.168.10.0/24 192.168.93.2
or
route add -net 192.168.10.0/24 -iface ovpns2It doesn't make any difference, the ping doesn't leave the PfSense.
Any idea of what I'm missing ? Firewall or routing ?
Best regards
-
The routes for OpenVPN connections have to be added by OpenVPN, not statically.
What kind of OpenVPN server are you running? A remote access server or a site to site?
Is the Teltonika device the default gateway in the 192.168.10.0/24 network?
-
The OpenVPN server is the PfSense.
Server mode: Remote access SSL/TLS + User auth
Device mode: tun - Layer 3 tunnel mode
Interface: WANYes the Teltonika is the main device. It is a 4G with sim card access point.
-
So you have to set up an OpenVPN Client Specific Override for the client and add the remote network 192.168.10.0/24 to the "IPv4 Remote Networks" as it's described in Configuring a Single Multi-Purpose OpenVPN Instance.
However, if the Teltonika is the only one client, I'd recommend the change the server mode to a site-to-site. In this mode you can add the remote network in the server settings directly and don't need a CSO.
-
Thanks for the advice. I will try this setup.
Indeed there will be multiple Teltonika clients.Is this solution compatible so another Teltonika will be 192.168.11.0/24 and be able to reach 192.168.10.0/24 ?
-
Yes, you can define a CSO for each client, each with a unique tunnel subnet and with their appropriate remote networks.
The 192.168.10.0/24 must be added in the second Teltonika settings to the "IPv4 Remote Networks", so that the client device routes the traffic for 192.168.10.0/24 over the VPN and the 192.168.11.0/24 must be added to the first Teltonika settings. -
Thanks for your help. With the CSO, I can ping the Teltonika and the computer behind it from my computer connected directly through OpenVPN (Viscosity)
I will now begin the installation of the second Teltonika and confirm here if the solution is completely working. Also I will clarify which Firewall rules are necessary.
FYI I still can't ping the Teltonika from the PfSense. 100% packet loss whatever the Source address is.
Edit: I had a few instabilities. Can you confirm that I need to setup a different tunnel for each Teltonika ?
192.168.91.0/24
192.168.92.0/24
192.168.93.0/24And the CSO for each remote network:
On 192.168.10.1 -> 11.0/24 and 12.0/24
On 192.168.11.1 -> 10.0/24 and 12.0/24
And so ?Best regards
-
Hello there,
The setup is still not finished but indeed a part of the solution was to use the CSO.
I have another question about OpenVPN routing.
I've setup 4 OpenVPN tunnels between 4 pfSense on remote networks.
192.168.10.1
192.168.11.1
192.168.12.1
192.168.13.1192.168.10.1 is the central server, and the other are connecting as clients.
So from 10 I can reach any network. And from all the networks, I can reach network 10.What can I do to make the network 11 reachable from network 12 ?
And by so, the network 12 reachable from network 11.Also, on each site I have an OpenVPN server for any clients like Viscosity.
But when I'm connected through this server, the access is only on the local site.
Example, if I connect from a random location to the network 13, I can only access the network 13, the 10-11-12 aren't reachable.Any suggestion on how to proceed ?
Best regards
-
For the site to site connections it's the same game with the "IPv4 Remote Networks" as above.
Edit the OpenVPN settings on each branch and add all remote networks to the "IPv4 Remote Networks". So for instance on 192.168.11.1 the box should have:192.168.10.0/24,192.168.12.0/24,192.168.13.0/24
Ensure to use the network addresses, not 192.168.10.1/24!
In the remote access server settings you have to enter all these networks into the "IPv4 Local Networks" box:
192.168.10.0/24,192.168.11.0/24,192.168.12.0/24,192.168.13.0/24
That's all.
-
Thanks for your reply!
On the server, there's only IPv4 Remote network(s)
IPv4 local Network setup isn't available.Best regards
-
@info385 said in Firewall or routing issue with OpenVPN remote client:
On the server, there's only IPv4 Remote network(s)
IPv4 local Network setup isn't available.So you have presumably checked "Redirect gateway". In this case, there is nothing more to do. That option routes the whole traffic over the VPN anyway.
-
I used Peer to Peer (Shared key) mode, that's why the option is not listed.
There isn't the gateway option either.Is that a good choice ?
-
@info385
Dude, we're talking about the remote access server for the road warrior clients here! You cannot run an access server in Peer to Peer mode.I had suggested the "IPv4 Local Networks" option for the remote access server only, while on the Peer to Peer you only need the "IPv4 Remote Networks" setting.