remote access openvpn cannot access the remote site of the site-to-site openvpn setup
-
Hi, All:
I have site-to-site openvpn connection working between site-A and site-B. Any server in site-A can access any server in site-B and vice-versa.
Since working from home, I also setup remote access openvpn to access site-A, which also works fine. That is, I can access any servers in site-A. However, I cannot access any servers in site-B while using remote access openvpn with site-A.
To be more specific, if I use remote access openvpn to connect site-A and log into any server in site-A, I certainly can access site-B from the servers in site-A. However, I was not able to access site-B servers directly from my laptop at home even with remote access openvpn connected with site-A.
I don't have clue how to debug this issue and please help to instruct me or let me know what information is needed for you to narrow down the issue. Thanks!
-
Your Client VPN Server (site A) probably doesn't announce site B's nets as remote.
You could force all traffic from the Client (PC) through site A
Done on the Site A , Client OpenVPN Server
That would force all traffic (including internet traffic) through the remote VPN Server , and since site A can access Site B , you should be able to do the same.
Note: That might limit access to local nets (home nets)
/Bingo
-
@bingo600 Thanks a lot for your reply. By Client VPN Sever, I assume you meant my remote access VPN server, and yes, I have already checked that box.
Here is the diagram and some additional info.
If I tracert a site-B server from a server in site-A, say 172.18.30.222, below is the routing:
172.18.2.254 (which is the pfsense server)
10.2.105.2
172.18.30.222
If I tracert the same site-B server from home, below I got
10.0.5.1
request time out (that's it)
please let me know your thoughts, thanks a lot in advance!!!
-
Could be that the Site B doesn't know the route to your "Dial In VPN" on A.
In the LAN A VPN server , you have to announce your 10.0.5.0/24 as a
Remote network , so Site B knows it is "behind A".I see you are using a /24 topology in the Site2Site VPN , so i think that involves some "push" commands.
I'm always using a /30 topology for S2S , so i don't have any experience with those push's
To verify my theory ... (Missing route) on B
Do a Diagnostic --> Routes on Site B
And check if you have a route to 10.0.5.0/24 , i think it's missing.You could do the same on Site A , where i expect it to be present , and route out via the "Dial IN VPN" interface
/Bingo
-
@bingo600 Thank you very much!!! I made it work following your suggestions with a little changes. I added 10.0.5.0/24 as a local network (as opposed to the remote network) to site2site openvpn server at site A and then I can access site B from home directly now.
However, I have a follow up problem as shown in the updated diagram below.
I actually also setup a remote access openvpn server at site-B too. Although it works for accessing servers in site-B, I can not access site-A servers directly from home as shown in the diagram below. I have already added 192.168.30.0/24 as remote network for site2site openvpn server. And in Diagnostic->Route of the site2site openvpn server, I can see destination 192.168.30.0/24 with 10.2.105.2 as gateway too. Any clues? Thanks.
-
@be7taname
Sorry about the local/remote route confusion ... Glad you got it to work.Re Home-D Clients , that can't access Lan-A servers.
Client D
If you have done the "Force all ipv4" traffic , on the LanB (Client VPN) , the Client routing should be fine.Server B (S2S VPN server)
You prob. have to set up 192.168.30.0/24 as OpenVPN local network on LAN-B Server , in order to get the LAN-A server to see it as "remote via B".You have to check on Lan-A pfsense if it has a route to 192.168.30.0/24 via Openvpn interface (Lan-B)
I'm not sure when the OpenVPN routes gets annpounced , but i think on "start" , meaning you prob. have to "restart" your openvpn server(s) , where you have made any changes.
-
@bingo600
To be accurate, at site-B, it is not a S2S VPN server, it is a S2S VPN client. The S2S VPN server is at site-A. And the S2S VPN client setting doesn't have IPv4 Local networks. It has only IPv4 Remote networks. Below is a summary of my settings regarding to Local / Remote Networks.For S2S VPN server at site-A:
Local networks(s): 10.0.5.0/24 in addition to LAN-A
Remote network(s): 192.168.30.0/24 in addition to LAN-BFor S2S VPN client at site-B:
Remote network(s): LAN-A
Local network(s): No such options in the settingsPlease advice if I miss anything. Thanks.
-
That should work , but i'm not sure if those announcements work , now that you have made a /24 vpn topology.
What does diagnostics --> Routes say on SiteA , and on Site B ?
192.168.30.0/24
shouldmust be present in both routetables.On A .... Via B (S2S VPN tunnel)
On B ... Via D (B's home client net)
But i think stephenw10 mentioned something about those "Remote networks" not working as expected in the VPN definitions , if not using a /30 topology.
There might be some hint here
https://docs.netgate.com/pfsense/en/latest/troubleshooting/openvpn-iroute.htmlEdit:
I do assume you already have made sure there are no "blocked" entries in any of the firewalls ... AKA you have permitted the ip nets to communicate with each other. -
@bingo600
diagnostics --> Routes looks good.on A ... Via B (S2S VPN tunnel)
Destination of 192.168.30.0/24 has 10.2.105.2 as Gateway, which is also LAN-B's Gatewayon B ... Via D (B's home client net)
Destination of 192.168.30.0/24 has 192.168.30.2 as GatewayDoes it look reasonable for you? And no, I don't have blocked entries in the firewalls.
I do have trouble in understanding the linked article. It seems to be related to S2S OpenVPN connection and since my S2S OpenVPN connection is good, it doesn't seem to apply to my situation. Do I understand it correctly?
-
So it seems like your routes are in place.
You say you can ping from D to a Server on B , but not a server on A.
Can you ping from D:
10.2.105.1
and
10.2.105.2
-
@bingo600
This is very interesting.on Site-B, diagnostic->routes shows that the Gateway for LAN-A subnet is 10.2.105.1.
I tried to ping 10.2.105.1 from Home-D so many times, it never worked.
I never ping 10.2.105.2 from D before. It actually works.I thought from D the traffics have to go through 10.2.105.1 before reaching 10.2.105.2, I was seriously wrong then. Please advice. Thanks.
-
If you can't ping 10.2.105.1 (Site A OpenVPN interface) , from D.
Then something is "fishy" (like A doesn't know the correct route to D ... via B)Can you ping (from A)
192.168.30.1
and
192.168.30.2 (if that is what your D client gets)IP traffic always goes via "next hop" (what the route table points at)
A packet from D (192.168.30.2) to A goes (passes) ... Should pass
D -> B -> B -> A 192.168.30.2 -> 192.168.30.1 -> 10.2.105.2 -> 10.2.105.1 -
@bingo600
from site-A, I cannot ping either 192.168.30.1 or 192.168.30.2 (and yes, that is what the D client gets).To summarize the experiments,
- when send traffic from D to A, it seems to lost at 10.2.105.1 as shown below (xxx means not working).
192.168.30.2 ----> 192.168.30.1 ----> 10.2.105.2 --xxx--> 10.2.105.1 - when send traffic from A to D (to be specific: tracert 192.168.30.1 from a server at A),
the packet seems not to go anywhere, just stopped at pfsense server.
But I do have site-A diagnostics->routes showing that for destination 192.168.30.0/24, the gateway is 10.2.105.2.
What do you think could be the issue? Thanks!
- when send traffic from D to A, it seems to lost at 10.2.105.1 as shown below (xxx means not working).
-
I think site A can not forward packets to 192.168.30.0/24
Or they are being blocked somewhereYou have previously written that the route looks good on A
on A ... Via B (S2S VPN tunnel) Destination of 192.168.30.0/24 has 10.2.105.2 as Gateway, which is also LAN-B's GatewayAnd that you see no blocks in the firewalls.
So you have permitted all nets on the A-B OpenVPN interfaces.Based on that "it should" work
I'm out of ideas here
