Site-2-Site - Missing routes?

peterLinux

Followed these instructions
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

pfSense 2.6.0 - all up-to-date

Working fine is
Site A = OpenVPN site-2-site server A
Site B = OpenVPN site-2-site client for A
Installed ~ 1 yr ago

Added last week
Site B = OpenVPN site-2-site server B
Site C = OpenVPN site-2-site client for B

Everything between A & B is still working as expected - no issues.

For the new B-C connection
On the server side the OpenVPN Dashboard widget show that the client is connected
On the client side the OpenVPN Dashboard widget show that the server is connect (green arrow up)
as expected.

Ping results:

• form the client (C) pfSense to the server pfsense works.

• from the server (B) pfSense to the client pfsense FAILS.

• from the client (C) pfSense to a printer on the server's side LAN works.

• from the server (B) pfSense to a printer on the client's side LAN fails

• from a PC inside the clients network to the server's side LAN address FAILS

• from a PC inside the clients network to a printer on the server's side LAN FAILS

• from a PC inside the clients network to the virtual Address (tunnel network) works

Looking in Status / OpenVPN and showing the routing table
There is a difference, on the working A-B connection I see a route for the clients (B) LAN net.
This route seems to be missing on B for connections to C

Is this a bug in pfSense?
Can I re-generate this route / these routes?
How to add this route manually when the server is up?
(Can't recall adding any routes manually for the A-B connection)
Where in pfSense can we see all the generated routes that are active?

Jarhead

@peterlinux In the OpenVPN config, make sure you enter all local networks on the server side.
On the client side, enter all remote networks.
If you want to get from C to A you'll have to add the tunnel (A to B) in the C remote networks also.

peterLinux

@jarhead

From the instructions:

Note: With remote access PKI configurations such as this example, routes and other configuration options are typically pushed from the server and thus not present in the client configuration.

It works fine in the A - B setup.
In the B - C setup we can do certain pings from C to B, the config is on B, so (part?) of it is applied and pushed, as far as I understand it.

viragomann

@peterlinux
So did you configure a client specific override on the server?

peterLinux

@viragomann Yes... for A-B, not for B-C (yet), Oh my... looked over this the whole f*ing time.
Hopefully this fixes it, thank you!

viragomann

@peterlinux
If there is only a single client connected to the server, the CSO is not necessary in fact. But in this case you have to use a /30 tunnel network and set the "remote networks" on both site, server and client.