Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing between openvpn client and subnets accessible from openvpn server via wireguard site-to-site tunnel

    Scheduled Pinned Locked Moved WireGuard
    3 Posts 2 Posters 703 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jkv
      last edited by jkv

      Hi all

      I have 2 sites each with a pfsense edge. I've recently changed the site-to-site vpn between them form an IPSEC tunnel to a wireguard tunnel. @CMCDONALD - many thanks for your recent video guide on this (https://www.youtube.com/watch?v=2oe7rTMFmqc) - my site-to-site setup essentially follows this example.

      I sometimes connect to site 1 via an OpenVPN connection and before changing to wireguard I could reach the LAN on sites 1 and 2 from the OpenVPN connection to the site 1 pfsense box. Since the change, my OpenVPN connection to site 1 can only access the site 1 LAN (but not the site 2 LAN that is on the otherside of the WireGuard tunnel). The site 1 LAN can access the site 2 LAN just fine (and vice versa), but I can't figure out how to do the routing to access the site 2 LAN via the OpenVPN connection to site 1?

      I've checked the firewall connections and these make sense and the traffic from OpenVPN enters the WireGuard tunnel on site 1 but is never seen at site 2. I think this is a routing issue, so wondered it someone could give me a pointer on the routing config required? Previously IPSEC SPD handled this.

      My network layout and routes are per the following diagram:
      Untitled Diagram.drawio.png

      Thanks

      1 Reply Last reply Reply Quote 0
      • N
        netblues
        last edited by

        Pushing routes is not enough.
        You also need to tell the openvpn tunnel what are the "local" lans.
        As far as openvpn is concerned
        192.168.111.0 is "local"
        This is configured at the openvpn server
        You can look openvpn iroute command for more info.
        add 192.168.111.0 (and 98 too) and test

        081324aa-9bd5-4dd2-b619-4d95d0bf5ebc-image.png

        J 1 Reply Last reply Reply Quote 1
        • J
          jkv @netblues
          last edited by

          @netblues Thanks for the suggestion. As it happens I already had that bit right, but I stupidly overlooked including the 98 subnet as an allowed IP for the WireGuard tunnel - so problem solved! Thanks again.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.