Extra routing options for OpenVPN clients
-
So I have this affiliate business remote office with a pfsense router (172.16.69.0/24) that's connected to my HQ (10.3.0.0/24) via an OpenVPN site2site link. This provides the remote office with connectivity to the Avaya telephony control unit among other things.
Now I have a remote worker associated with that remote office currently working from home and using an .ovpn key generated by their pfsense box. It connects fine but his PC cannot see the VoIP network in our HQ. What do I need to do to enable this? I tried manually adding a static route to his PC but it did not do a anything.
Am I right in thinking I need to tell the remote office pfsense to make it's own vpn clients aware of the HQ's VoIP network? And if yes, how do I go about it?
I have added the HQ VoIP network (10.3.0.0/24) to the "local networks" option on the OpenVPN server of the remote office pfsense box.
Also added an option to: push "route 10.3.0.0 255.255.255.0";
-
Don't add static routes for OpenVPN connections!
I have added the HQ VoIP network (10.3.0.0/24) to the "local networks" option on the OpenVPN server of the remote office pfsense box.
This is fine.
But remove this, since it does the same:Also added an option to: push "route 10.3.0.0 255.255.255.0";
Additionally you need to add the access server tunnel network (remote office) in the HQ OpenVPN settings to the "Remote Networks" to add a route to the road warrior client pointing to the remote site.
-
Sooo, remove the route from the local networks bit and keep the push route option?
@viragomann said in Extra routing options for OpenVPN clients:
Additionally you need to add the access server tunnel network (remote office) in the HQ OpenVPN settings to the "Remote Networks" to add a route to the road warrior client pointing to the remote site.
On the HQ OVPN site2site server side config, add the address of the tunnel network between the remote office and the road warrior's PC?
-
@morgenstern said in Extra routing options for OpenVPN clients:
Sooo, remove the route from the local networks bit and keep the push route option?
In a site-to-site OpenVPN there is no need to push routes. You can simply state the remote networks in the "Remote Networks" box on both endpoints.
Even pushing routes to the client would be possible.On the HQ OVPN site2site server side config, add the address of the tunnel network between the remote office and the road warrior's PC?
Exaclty. When the road warrior client access the HQ, it uses it's interface IP, on which the traffic is passed out. So this is the OpenVPN VIP.
So the HQ sees this VIP. To set the route for this to direct responses back the the branch you need to add the tunnel in the OpenVPN settings. -
Ha, that worked!
I also had to adjust the OpenVPN fw rule to allow the VoIP traffic from the road warrior tunnel network to pass through the HQ to Remote office tunnel.
Wonderful! Thank you muchly sir!