<![CDATA[OpenVPN routing question]]>Hi everyone,
I have a problem with routing traffic trough openVPN. After days of reading and testing, i am posting this and hope someone could help. I think i am almost done, there is missing just a small piece.

We have an pfsense with openvpn server (Azure Cloud) This is located in the cloud and should only connect all VPN clients
One pfsense as openvpn client (Site A)
One pfsense as openvpn client (Site B)
more sites with openvpn clients will be added in future
not all sites should be able to communicate with each other

LAN 172.16.0.0/23 <----> pfsense site A ----> pfsense Site C (VPN Server) <---- pfsense site B <----> LAN 172.16.254.0/24

Clients in Site A need to connect to clients in Site B
Clients in Site B need to connect to clients in Site A

On the Server in Cloud is no LAN which need to be accessible. This Server should just connect the VPN tunnels from all clients.

I start a ping from LAN of site A to a client of site B and opposite.

What I see is that in the VPN server the ICMP packets are seen in the tunnelinterface coming from booth ends. But going out the default gateway to the LAN.

This is the ovpns1 interface

13:29:56.406750 IP 172.16.254.20 > 172.16.0.55: ICMP echo request, id 29701, seq 24576, length 40
13:30:00.070629 IP 172.16.0.55 > 172.16.254.254: ICMP echo request, id 1, seq 35209, length 40

and this is the traffic leaving the local LAN interface (hn0)

14:19:20.597774 IP 172.16.0.55 > 172.16.254.254: ICMP echo request, id 1, seq 35855, length 40
14:19:20.721167 IP 172.16.254.20 > 172.16.0.55: ICMP echo request, id 29701, seq 43522, length 40

How can i set routing and tell the VPN Server to route the packets from one VPN client to the other?

What i have tried is changing the servertype from Peer to Peer to Remote Access and enable Interclient communication. Then it is working.
But what i read is, that then i have no way to restrict traffic only between certain clients and all sites see each other which should not be the case.

What is the prefered setup for this szenario?

Thanks and best regards
Thomas

]]>https://forum.netgate.com/topic/152806/openvpn-routing-questionRSS for NodeWed, 20 May 2026 03:40:36 GMTWed, 22 Apr 2020 15:05:53 GMT60<![CDATA[Reply to OpenVPN routing question on Thu, 23 Apr 2020 14:21:33 GMT]]>I use CSO already.

Site A has a route entry for the remote site, rest is set by CSO

route 172.16.254.0 255.255.255.0;

Site B does not have any routes they are set by CSO

Server has this:

route 172.16.254.0 255.255.255.0 192.168.98.2;
route 172.16.0.0 255.255.254.0 192.168.98.3;

I need this, to get the packets back to the OpenVPN interface

CSO for Site A on server is this:

iroute 172.16.0.0 255.255.254.0;
ifconfig-push 192.168.98.2 255.255.254.0;

i need to set static IP's for the route entry in the previous step

CSO for Site B on server is this:

iroute 172.16.254.0 255.255.255.0;
push "route 172.16.0.0 255.255.254.0";
ifconfig-push 192.168.98.3 255.255.254.0;

reason for the difference of site A and B is that Site A have the Option "don't pull routes enabled". So instead of a push route in CSO, i have the route option on the client directly.

It is working like this.

However, I have the feeling that it should be possible without setting static tunel IP's.

If i use the remote network box, the routes that are added are then pointing all to the same tunnel.

Btw. is there any way to show the learned OpenVPN iroutes. The only way i found was via the logs which is a pain if you miss the correct moment.

]]>https://forum.netgate.com/post/907457https://forum.netgate.com/post/907457Thu, 23 Apr 2020 14:21:33 GMT<![CDATA[Reply to OpenVPN routing question on Thu, 23 Apr 2020 11:42:12 GMT]]>@ThomasWW said in OpenVPN routing question:

We expecting to have hundert or more clients in future.

So you have to go with an access server and set up CSO.

@ThomasWW said in OpenVPN routing question:

Downside is, that i have to define the gateway (tunnel IP of the client) in the route entries on the server.

With CSO that should not be needed. You can enter the clients network in the "Remote Networks" box to set the route.

@ThomasWW said in OpenVPN routing question:

Is there a possibility to tell the server, that packets not leaving tun interface on server and route directly to the correct vpn tunnel?
Should not openVPN getting this information from the iroute statement?

That's done by the Remote Networks in the CSO. But I don't know by now if packet filtering between clients is possible with that. You will have to try.

]]>https://forum.netgate.com/post/907402https://forum.netgate.com/post/907402Thu, 23 Apr 2020 11:42:12 GMT<![CDATA[Reply to OpenVPN routing question on Thu, 23 Apr 2020 08:14:13 GMT]]>Unfortunately we cannot setup 1 server per client. We expecting to have hundert or more clients in future.
Yes, remote networks are setup correctly.

I'm one step ahead and disable "client-client mode". Routing is working properly with additional steps.
Downside is, that i have to define the gateway (tunnel IP of the client) in the route entries on the server.
192.168.98.1 = tunnel IP server
192.168.98.2 = tunnel IP site A
192.168.98.3 = tunnel IP site B

route 172.16.254.0 255.255.255.0 192.168.98.2;
route 172.16.0.0 255.255.254.0 192.168.98.3;

AS tunnel IP's can change, now i need to assign static IP's to clients in client specific overrides with ifconfig-push.

Now traffic flows from client Site A through tunnel. On server it is send through tun interface to kernel and from kernel back to tun interface and through the other tunnel to Site B.

This looks not so efficient and have addition administrative overhead.
Is there a possibility to tell the server, that packets not leaving tun interface on server and route directly to the correct vpn tunnel?
Should not openVPN getting this information from the iroute statement?

]]>https://forum.netgate.com/post/907379https://forum.netgate.com/post/907379Thu, 23 Apr 2020 08:14:13 GMT<![CDATA[Reply to OpenVPN routing question on Wed, 22 Apr 2020 19:51:02 GMT]]>Are running only one server instance on Azure?
You should have one for each site to site connection.

Have you set the "Remote Networks" option?

]]>https://forum.netgate.com/post/907279https://forum.netgate.com/post/907279Wed, 22 Apr 2020 19:51:02 GMT