Routing between dial-in and site-to-site openvpn servers on a pfsense 2.4.4 (solved)



  • I have an openvpn problem with my pfsense and several openvpn servers. The situation is the following:

    • We have two sites, one main site and one branch office, on both sides a pfsense 2.4.4 is running
    • There is an openvpn site to site tunnel which connects main office and branch
    • We have several services running regularly between main and branch office and we need them to be undisturbed
    • We have several road warriors dialling into the pfsense at the main office on there own openvpn server
    • The way the remote offices is connected to the internet doesn't allow for setting up a server there, so the server is always the main office.

    The main reason for the two openvpn servers is, that I want to be able to cut out the network to the road warriors when they do something outside the company policies as happens from time to time) without any interference between the offices. And there are also rare cases where we have to take down the link between the offices as well, but want the road warriors to be able to still be connected.

    Up until a while ago this setup was working pretty well, but in recent times (before and now with the corona virus running rampant), there was no reason for the road warriors to directly connect to machines in the branch office.

    Now there is need and I can't get the pfsense to route between the two openvpn servers. The road warriors are pulling out their pitchforks and lighting torches.

    The setup Configuration wise on the pfsense is the following

    Main Office:

    • Network: 192.168.3.0/24

    • Gateway: 192.168.3.1

    • OpenVPN Server: 192.168.3.1

    • Site-2-Site to Branch OpenVPN:

      • Server Mode: Peer to Peer (Shared Key)
      • UDP on IPV4 / tun
      • Tunnel Network: 10.20.21.0/24
      • Tunnel Network IP: 10.20.21.1
      • Remote Network: 172.20.21.0/24
      • Advanced: push "route 10.0.42.0 255.255.255.0"
    • Road Warrior Dial-In to Main:

      • Server Mode: Remote Access (SSL/TLS + User Auth)
      • UDP on IPV4 / tun
      • Tunnel Network: 10.0.42.0/24
      • Tunnel Network IP: 10.0.42.1
      • Local Network: 192.168.3.0/24,10.20.21.0/24,172.20.21.0/24

    Branch Office:

    • Network: 172.20.21.0/24

    • Gateway: 172.20.21.1

    • OpenVPN Server: 172.20.21.1

    • Site-2-Site to Branch OpenVPN:

      • Server Mode: Peer to Peer (Shared Key)
      • UDP on IPV4 / tun
      • Tunnel Network: 10.20.21.0/24
      • Tunnel Network IP: 10.20.21.2
      • Remote Network: 192.168.3.0/24

    My problem is, that this configuration doesn't work. The road warriors can connect to the branch office.

    Debugging brought the following insights:

    • The routes on the pfsense in the main office show all routes
    • In the main office I can ping computers on the remote network, the road warriors (e.g. 10.0.42.2) and down the tunnels
    • From the road warrior dial-in I can ping the openvpn tunnel endpoints on the main office side (10.20.21.1;10.0.42.1), but not the end-point on the branch office sirt
    • The pfsense on the branch ignores the "push route ...", nothing in the logs, route just doesn't show up
    • If I add the road warrior net (10.0.42.0/24) to the Remote Networks on the branch pfsense, I can ping down the tunnel and reach the end-point on the branch office (10.20.21.2) but not into the network. Already 172.20.21.1 doesn't answer.

    Right now I am looking at the whole setup and wonder what I am doing wrong...



  • @quams said in Routing between dial-in and site-to-site openvpn servers on a pfsense 2.4.4:

    Site-2-Site to Branch OpenVPN:
    Server Mode: Peer to Peer (Shared Key)
    UDP on IPV4 / tun
    Tunnel Network: 10.20.21.0/24
    Tunnel Network IP: 10.20.21.1
    Remote Network: 172.20.21.0/24
    Advanced: push "route 10.0.42.0 255.255.255.0"

    I'd recommend to use a /30 tunnel network for a site2site.

    Delete the "push route.." from the Advanced options. Instead of that add 10.0.42.0/24 to the "IPv4 Remote Networks" on the branch office box.

    @quams said in Routing between dial-in and site-to-site openvpn servers on a pfsense 2.4.4:

    Road Warrior Dial-In to Main:
    Server Mode: Remote Access (SSL/TLS + User Auth)
    UDP on IPV4 / tun
    Tunnel Network: 10.0.42.0/24
    Tunnel Network IP: 10.0.42.1
    Local Network: 192.168.3.0/24,10.20.21.0/24,172.20.21.0/24

    Delete 10.20.21.0/24 from "Local Networks". There is no sense in pushing the site2site tunnel network to the road warriors.



  • @viragomann thanks for the tip! It worked!

    I am just a little bit confused, since I am nearly 100% sure, that I tried this exact set-up before. But who knows what I had hanging around wit me trying to solve this via "push route (...)".


Log in to reply