Override local OpenVPN while connecting to remote site
-
Hi,
I have two independent - yet similar configured - pfSense sites.
Let's say:
- Site-A
and
- Site-B
Hint: I do NOT intend to connect those sites with a Site-to-Site-VPN.
Furthermore, I would like to connect to each site from "outside" with OpenVPN on-demand.
Each site is configured fine for this, except one use case:
If I'm connected locally within one of both sites and try to establish an OpenVPN-Connection to the other site, I get "stuck" in the local net.
Connecting from mobile data (smartphone) or a third-party, non-pfSense local net does not bring up this issue.
I guess this might have to do with the mentioned each similar configured local nets of both sites.
Is there a "quick fix" for this?
Thanks in advance
Marco
-
@g3ck0
Ensure that your client config files includes:lport 0 -
@viragomann thanks for your immediate answer.
I'll check this out and let you know if this already did the trick ;)
-
Hmm I double checked this (see attachment) 
)...and lport 0 was definitely already set.
The issue still remains.
Any further suggestions? :)
-
@g3ck0 said in Override local OpenVPN while connecting to remote site:
If I'm connected locally within one of both sites and try to establish an OpenVPN-Connection to the other site, I get "stuck" in the local net.
To get it correctly, you're talking about establishing two connections from a single device (mobile) within your network or from pfSense?
-
@viragomann Hi,
Well, if I use mobile data from my smartphone it works without any issues, and therefore, this is not local but a third party net.
The issue only occurs if I'm connected with wifi with my smartphone / Macbook / whatever locally within one of those two sites (as a client of the pfSense)
-
@g3ck0
Some special outbound NAT settings on pfSense like "static port"? -
@viragomann I might not have touched the outbound NAT settings since the installation so these settings seem to be factory-default
-
@g3ck0 may I mention, as I said the two sites are similarly configured that on BOTH sites the LAN and the OPT1 have EACH the same local IP address range? Could this be an issue?
-
@g3ck0
Yes, this will prevent the second to add the route on the client, when establishing the second vpn and the connection might fail. But that should be the case as well, when connecting over a third party network. So it's not clear to me, why this only happens in you local network.Possibly sniffing the traffic on pfSense can shed some light.
-
I finally solved it.
The LAN subnet on both sites must not be identical.
After changing the LAN subnet on one of the two sites (so they differ) it works like a charme.
Further reading:
https://blog.matrixpost.net/pfsense-site-to-site-ipsec-vpn-same-subnet-on-each-site/