Firewall or routing issue with OpenVPN remote client
I have an issue with my device, probably a configuration error.
Through an OpenVPN connection, this is working fine:
Computer 192.168.10.20 -> Teltonika RUT device 192.168.10.1 -> OpenVPN tunnel 192.168.93.0 -> PfSense 192.168.2.1 -> Computers in the network
The Teltonika device got an IP from the PfSense, 192.168.93.1
I can ping the Teltonika device from the PfSense. The Teltonika can ping any computer in the 192.168.2.0/24 network.
The problem is that I can't ping the device connected to the Teltonika, 192.168.10.20 and all the other. Basically the 192.168.10.0/24 network is not reachable from 192.168.2.1 and by so 192.168.2.0/24
I've manually tested 2 different routes on the PfSense:
route add -net 192.168.10.0/24 192.168.93.2
route add -net 192.168.10.0/24 -iface ovpns2
It doesn't make any difference, the ping doesn't leave the PfSense.
Any idea of what I'm missing ? Firewall or routing ?
The routes for OpenVPN connections have to be added by OpenVPN, not statically.
What kind of OpenVPN server are you running? A remote access server or a site to site?
Is the Teltonika device the default gateway in the 192.168.10.0/24 network?
The OpenVPN server is the PfSense.
Server mode: Remote access SSL/TLS + User auth
Device mode: tun - Layer 3 tunnel mode
Yes the Teltonika is the main device. It is a 4G with sim card access point.
So you have to set up an OpenVPN Client Specific Override for the client and add the remote network 192.168.10.0/24 to the "IPv4 Remote Networks" as it's described in Configuring a Single Multi-Purpose OpenVPN Instance.
However, if the Teltonika is the only one client, I'd recommend the change the server mode to a site-to-site. In this mode you can add the remote network in the server settings directly and don't need a CSO.
Thanks for the advice. I will try this setup.
Indeed there will be multiple Teltonika clients.
Is this solution compatible so another Teltonika will be 192.168.11.0/24 and be able to reach 192.168.10.0/24 ?
Yes, you can define a CSO for each client, each with a unique tunnel subnet and with their appropriate remote networks.
The 192.168.10.0/24 must be added in the second Teltonika settings to the "IPv4 Remote Networks", so that the client device routes the traffic for 192.168.10.0/24 over the VPN and the 192.168.11.0/24 must be added to the first Teltonika settings.
info385 last edited by info385
Thanks for your help. With the CSO, I can ping the Teltonika and the computer behind it from my computer connected directly through OpenVPN (Viscosity)
I will now begin the installation of the second Teltonika and confirm here if the solution is completely working. Also I will clarify which Firewall rules are necessary.
FYI I still can't ping the Teltonika from the PfSense. 100% packet loss whatever the Source address is.
Edit: I had a few instabilities. Can you confirm that I need to setup a different tunnel for each Teltonika ?
And the CSO for each remote network:
On 192.168.10.1 -> 11.0/24 and 12.0/24
On 192.168.11.1 -> 10.0/24 and 12.0/24
And so ?