OpenVPN between PFSense box's Little help please



  • Hi guys
    Well this website has provided me with a wealth of information and this is my first post and just wanted to say thanks!!!

    I have the following setup

    Site 1                                             Site 2
    PFSense–-------------WAN-----------PFSENSE
    10.8.8.0/24----------OVPN TUNNEL-----10.8.8.0/24
                            |  |     |                 |
    10.5.1.0/24------|  |     |                 |
                               |     |                   -----10.5.4.0/24
    10.5.11.0/24-------|     |
                                     |
                            Road Warriors

    Basically I am trying to push two subnets to Site 2
    From the PFSENSE machine at site two I can ping and trace both subnets.
    From a Road warrior with OVPN for windows running I can trace both subnets at site one. I cannot reach site 2's subnet without
    going into cmd.exe and adding
    route add 10.5.4.0 mask 255.255.255.0 10.8.8.9 (gateway on this roadwarrior) if tap

    Thats the background I guess

    from the machines at site2 using PFsense as a gateway I can only get to subnet 10.5.1.0/24 not the other subnet.
    I am using PKI obviously
    here is what is in the custom options on the Server at site1
    route 10.5.4.0 255.255.0.0;push "route 10.5.1.0 255.255.255.0";push "route 10.5.11.0 255.255.255.0"

    If i switch push "route 10.5.1.0 255.255.255.0";push "route 10.5.11.0 255.255.255.0"
    to  push "route 10.5.11.0 255.255.255.0";"route 10.5.1.0 255.255.255.0"
    I then get access to 10.5.11.0 not 10.5.1.0 as noted above.

    However from the PFsense machine at the remote site I have access to both and the road warriors do aswell.
    Does anyone know where I might be going wrong?

    PS. I have not entered anything in custom option on the client pfsense however
    under client specific settings im using the common name correctly with the custom options as
    iroute 10.5.4.0 255.255.255.0

    Any help much appreciated



  • So you actually have the roadwarriors on the same openVPN server instance than the site-to-site connection?

    I wouldnt do that.
    Keep them separate.

    One instance in PSK setup for the site-to-site.
    One instance in PKI setup for the roadwarriors.

    Like this you can use routes for the site-to-site and pushes for the roadwarriors.

    If you keep them together it gets nasty with client specific pushes and you'll never have satisfactory client separation.

    This was a very recent similar problem:
    http://forum.pfsense.org/index.php/topic,16028.0.html


Log in to reply