OpenVPN between PFSense box's Little help please
-
Hi guys
Well this website has provided me with a wealth of information and this is my first post and just wanted to say thanks!!!I have the following setup
Site 1 Site 2
PFSense–-------------WAN-----------PFSENSE
10.8.8.0/24----------OVPN TUNNEL-----10.8.8.0/24
| | | |
10.5.1.0/24------| | | |
| | -----10.5.4.0/24
10.5.11.0/24-------| |
|
Road WarriorsBasically I am trying to push two subnets to Site 2
From the PFSENSE machine at site two I can ping and trace both subnets.
From a Road warrior with OVPN for windows running I can trace both subnets at site one. I cannot reach site 2's subnet without
going into cmd.exe and adding
route add 10.5.4.0 mask 255.255.255.0 10.8.8.9 (gateway on this roadwarrior) if tapThats the background I guess
from the machines at site2 using PFsense as a gateway I can only get to subnet 10.5.1.0/24 not the other subnet.
I am using PKI obviously
here is what is in the custom options on the Server at site1
route 10.5.4.0 255.255.0.0;push "route 10.5.1.0 255.255.255.0";push "route 10.5.11.0 255.255.255.0"If i switch push "route 10.5.1.0 255.255.255.0";push "route 10.5.11.0 255.255.255.0"
to push "route 10.5.11.0 255.255.255.0";"route 10.5.1.0 255.255.255.0"
I then get access to 10.5.11.0 not 10.5.1.0 as noted above.However from the PFsense machine at the remote site I have access to both and the road warriors do aswell.
Does anyone know where I might be going wrong?PS. I have not entered anything in custom option on the client pfsense however
under client specific settings im using the common name correctly with the custom options as
iroute 10.5.4.0 255.255.255.0Any help much appreciated
-
So you actually have the roadwarriors on the same openVPN server instance than the site-to-site connection?
I wouldnt do that.
Keep them separate.One instance in PSK setup for the site-to-site.
One instance in PKI setup for the roadwarriors.Like this you can use routes for the site-to-site and pushes for the roadwarriors.
If you keep them together it gets nasty with client specific pushes and you'll never have satisfactory client separation.
This was a very recent similar problem:
http://forum.pfsense.org/index.php/topic,16028.0.html