VPN Gateway for LAN based Open VPN server



  • I have a LAN server running Open VPN. I have an asymmetrical routing issue, I can ping the private IP scopes from the VPN client, but cannot ping back. I have attempted to ping from a LAN workstation to the VPN client, but there is no next hop past the LAN subnet gateway.

    The solution I have considered is to set a gateway for the VPN client subnet on the LAN pointed to the IP of the LAN Open VPN server. But that sounds a little on the Elmer Fudd spectrum. Is there anything I can do on my router (XG-7100) to create the route, or should this be propagated from the VPN server?

    Thanks!



  • Why are you running the OpenVPN server on a LAN device and not on the edge router?

    If you want to keep the server there, the best you can do is setting up a transit network between the router and the OpenVPN server. This may be a VLAN on the same wire as your LAN, but the VPN server must not have an IP within the LAN netwrok. So you're able to route.
    Then you can add a static route the router for the remote networks pointing to the OpenVPN server.

    An other way to solve that is adding a static route for the remote networks to each LAN device pointing to the OpenVPN server. This could also be done by DHCP if the LAN devices network settings are configured by DHCP.



  • @viragomann said in VPN Gateway for LAN based Open VPN server:

    Why are you running the OpenVPN server on a LAN device and not on the edge router?

    I inherited the network.

    the best you can do is setting up a transit network between the router and the OpenVPN server.

    Currently, the site relies on one XG-7100 for routing. If I parse your suggesting into my infrastructure, I would just create a new VLAN, set the parent interface as the Lagg0, and assign the VLAN to a new interface. But this wont create the gateway required to create the static route. So, I'd need to create a gateway for the VPN subnet on the VLAN interface just created.

    Does that track with what you're suggestion intended?

    adding a static route for the remote networks to each LAN device pointing to the OpenVPN server.

    The clients are in remote locations connected to Wi-Fi router from ISP. I don't think this is feasible due to the effort involved to edit all of the remote devices. Which may be as many as 50 different locations.



  • @shapelytraffic said in VPN Gateway for LAN based Open VPN server:

    I would just create a new VLAN, set the parent interface as the Lagg0

    I assumed, the parent interface is your LAN, which you still will need.

    So just add a VLAN to the LAN interface and assign an new interface to it.

    Then add a gateway in System > Routing > Gateways and enter your VPN servers new VLAN IP. After that you can add a static route pointing to this gateway.



  • @viragomann sounds like we are on the same page.

    The parent interface is Lagg0, the LAN is actually a sub interface of the Lagg0.



  • I see. So you have a LAGG between pfSense and a switch, where the OpenVPN is connected to. So it should be the LAGG, but never uses on pfSense.



  • Actually, that's default behavior of the XG-7100. Lagg0 is an aggregate of ix2 and ix3, interfaces internal to the chassis that provide trunking for the 8 ports on the front face.

    lagg.png


Log in to reply