OpenVPN routing question



  • Hi everyone,
    I have a problem with routing traffic trough openVPN. After days of reading and testing, i am posting this and hope someone could help. I think i am almost done, there is missing just a small piece.

    We have an pfsense with openvpn server (Azure Cloud) This is located in the cloud and should only connect all VPN clients
    One pfsense as openvpn client (Site A)
    One pfsense as openvpn client (Site B)
    more sites with openvpn clients will be added in future
    not all sites should be able to communicate with each other

    LAN 172.16.0.0/23 <----> pfsense site A ----> pfsense Site C (VPN Server) <---- pfsense site B <----> LAN 172.16.254.0/24

    Clients in Site A need to connect to clients in Site B
    Clients in Site B need to connect to clients in Site A

    On the Server in Cloud is no LAN which need to be accessible. This Server should just connect the VPN tunnels from all clients.

    I start a ping from LAN of site A to a client of site B and opposite.

    What I see is that in the VPN server the ICMP packets are seen in the tunnelinterface coming from booth ends. But going out the default gateway to the LAN.

    This is the ovpns1 interface

    13:29:56.406750 IP 172.16.254.20 > 172.16.0.55: ICMP echo request, id 29701, seq 24576, length 40
    13:30:00.070629 IP 172.16.0.55 > 172.16.254.254: ICMP echo request, id 1, seq 35209, length 40
    
    

    and this is the traffic leaving the local LAN interface (hn0)

    14:19:20.597774 IP 172.16.0.55 > 172.16.254.254: ICMP echo request, id 1, seq 35855, length 40
    14:19:20.721167 IP 172.16.254.20 > 172.16.0.55: ICMP echo request, id 29701, seq 43522, length 40
    
    

    How can i set routing and tell the VPN Server to route the packets from one VPN client to the other?

    What i have tried is changing the servertype from Peer to Peer to Remote Access and enable Interclient communication. Then it is working.
    But what i read is, that then i have no way to restrict traffic only between certain clients and all sites see each other which should not be the case.

    What is the prefered setup for this szenario?

    Thanks and best regards
    Thomas



  • Are running only one server instance on Azure?
    You should have one for each site to site connection.

    Have you set the "Remote Networks" option?



  • Unfortunately we cannot setup 1 server per client. We expecting to have hundert or more clients in future.
    Yes, remote networks are setup correctly.

    I'm one step ahead and disable "client-client mode". Routing is working properly with additional steps.
    Downside is, that i have to define the gateway (tunnel IP of the client) in the route entries on the server.
    192.168.98.1 = tunnel IP server
    192.168.98.2 = tunnel IP site A
    192.168.98.3 = tunnel IP site B

    route 172.16.254.0 255.255.255.0 192.168.98.2;
    route 172.16.0.0 255.255.254.0 192.168.98.3;
    

    AS tunnel IP's can change, now i need to assign static IP's to clients in client specific overrides with ifconfig-push.

    Now traffic flows from client Site A through tunnel. On server it is send through tun interface to kernel and from kernel back to tun interface and through the other tunnel to Site B.

    This looks not so efficient and have addition administrative overhead.
    Is there a possibility to tell the server, that packets not leaving tun interface on server and route directly to the correct vpn tunnel?
    Should not openVPN getting this information from the iroute statement?



  • @ThomasWW said in OpenVPN routing question:

    We expecting to have hundert or more clients in future.

    So you have to go with an access server and set up CSO.

    @ThomasWW said in OpenVPN routing question:

    Downside is, that i have to define the gateway (tunnel IP of the client) in the route entries on the server.

    With CSO that should not be needed. You can enter the clients network in the "Remote Networks" box to set the route.

    @ThomasWW said in OpenVPN routing question:

    Is there a possibility to tell the server, that packets not leaving tun interface on server and route directly to the correct vpn tunnel?
    Should not openVPN getting this information from the iroute statement?

    That's done by the Remote Networks in the CSO. But I don't know by now if packet filtering between clients is possible with that. You will have to try.



  • I use CSO already.

    Site A has a route entry for the remote site, rest is set by CSO

    route 172.16.254.0 255.255.255.0;
    

    Site B does not have any routes they are set by CSO

    Server has this:

    route 172.16.254.0 255.255.255.0 192.168.98.2;
    route 172.16.0.0 255.255.254.0 192.168.98.3;
    

    I need this, to get the packets back to the OpenVPN interface

    CSO for Site A on server is this:

    iroute 172.16.0.0 255.255.254.0;
    ifconfig-push 192.168.98.2 255.255.254.0;
    

    i need to set static IP's for the route entry in the previous step

    CSO for Site B on server is this:

    iroute 172.16.254.0 255.255.255.0;
    push "route 172.16.0.0 255.255.254.0";
    ifconfig-push 192.168.98.3 255.255.254.0;
    

    reason for the difference of site A and B is that Site A have the Option "don't pull routes enabled". So instead of a push route in CSO, i have the route option on the client directly.

    It is working like this.

    However, I have the feeling that it should be possible without setting static tunel IP's.

    If i use the remote network box, the routes that are added are then pointing all to the same tunnel.

    Btw. is there any way to show the learned OpenVPN iroutes. The only way i found was via the logs which is a pain if you miss the correct moment.


Log in to reply