Firewall or routing issue with OpenVPN remote client



  • Hello Everyone,

    I have an issue with my device, probably a configuration error.

    Through an OpenVPN connection, this is working fine:
    Computer 192.168.10.20 -> Teltonika RUT device 192.168.10.1 -> OpenVPN tunnel 192.168.93.0 -> PfSense 192.168.2.1 -> Computers in the network

    The Teltonika device got an IP from the PfSense, 192.168.93.1
    I can ping the Teltonika device from the PfSense. The Teltonika can ping any computer in the 192.168.2.0/24 network.

    The problem is that I can't ping the device connected to the Teltonika, 192.168.10.20 and all the other. Basically the 192.168.10.0/24 network is not reachable from 192.168.2.1 and by so 192.168.2.0/24

    I've manually tested 2 different routes on the PfSense:
    route add -net 192.168.10.0/24 192.168.93.2
    or
    route add -net 192.168.10.0/24 -iface ovpns2

    It doesn't make any difference, the ping doesn't leave the PfSense.

    Any idea of what I'm missing ? Firewall or routing ?

    Best regards



  • The routes for OpenVPN connections have to be added by OpenVPN, not statically.

    What kind of OpenVPN server are you running? A remote access server or a site to site?

    Is the Teltonika device the default gateway in the 192.168.10.0/24 network?



  • The OpenVPN server is the PfSense.
    Server mode: Remote access SSL/TLS + User auth
    Device mode: tun - Layer 3 tunnel mode
    Interface: WAN

    Yes the Teltonika is the main device. It is a 4G with sim card access point.



  • So you have to set up an OpenVPN Client Specific Override for the client and add the remote network 192.168.10.0/24 to the "IPv4 Remote Networks" as it's described in Configuring a Single Multi-Purpose OpenVPN Instance.

    However, if the Teltonika is the only one client, I'd recommend the change the server mode to a site-to-site. In this mode you can add the remote network in the server settings directly and don't need a CSO.



  • Thanks for the advice. I will try this setup.
    Indeed there will be multiple Teltonika clients.

    Is this solution compatible so another Teltonika will be 192.168.11.0/24 and be able to reach 192.168.10.0/24 ?



  • Yes, you can define a CSO for each client, each with a unique tunnel subnet and with their appropriate remote networks.
    The 192.168.10.0/24 must be added in the second Teltonika settings to the "IPv4 Remote Networks", so that the client device routes the traffic for 192.168.10.0/24 over the VPN and the 192.168.11.0/24 must be added to the first Teltonika settings.



  • Thanks for your help. With the CSO, I can ping the Teltonika and the computer behind it from my computer connected directly through OpenVPN (Viscosity)

    I will now begin the installation of the second Teltonika and confirm here if the solution is completely working. Also I will clarify which Firewall rules are necessary.

    FYI I still can't ping the Teltonika from the PfSense. 100% packet loss whatever the Source address is.

    Edit: I had a few instabilities. Can you confirm that I need to setup a different tunnel for each Teltonika ?
    192.168.91.0/24
    192.168.92.0/24
    192.168.93.0/24

    And the CSO for each remote network:
    On 192.168.10.1 -> 11.0/24 and 12.0/24
    On 192.168.11.1 -> 10.0/24 and 12.0/24
    And so ?

    Best regards


Log in to reply