Can't access client LANs from servers on DigitalOcean private cloud network behind OpenVPN on pfSense

rootchick

Hi all,

I'm hosting a few servers on DigitalOcean, and I have a droplet running pfSense that I'm using to control access to these servers through their virtual private cloud network. I've set up OpenVPN site-to-site SSL/TLS servers to connect each of our locations. These locations can access the servers on the VPC network, but I need to be able to reach the locations' LANs through them as well and it's not working. I suspect it's a routing issue somewhere between the servers and the pfSense droplet. I've been poking at this for a couple days trying things and I could really use some extra help.

Some details:
I followed the instructions in the pfSense docs for setting up a site-to-site SSL/TLS server; it connects just fine and I can access the servers through the locations' LANs
pfSense droplet is running community edition 2.7.0, sites are running either Netgate 4100's or 7100's, some running 23.05, others running 22.05.

The droplet's LAN IP is 192.168.222.3, which is a dynamic assignment from DO. All the servers have 192.168.222.0/24 addresses

Example config, skipping the SSL/TLS part because that clearly works:
IPv4 tunnel network: 10.203.0.0/24
IPv4 local network(s): 192.168.222.0/24
IPv4 remote network(s): 192.168.102.0/24
Client Specific Override is configured, using the client cert's common name, the specific server for this site is selected under the server list, and
192.168.102.0/24 under the IPv4 Remote Networks. Do I need anything else here? I've tried setting the tunnel network , local networks, and adding routing through
192.168.222.3 here but nothing has worked so far.
Under Outbound NAT I've added a mapping for the LAN interface to the 192.168.102.0/24 network, with the NAT address set to the LAN address.
I've tried manually setting the route on the server to the LAN network and alternately to the tunnel network through the 222.3 address, that didn't work either.

Any help would be greatly appreciated.

ontzuevanhussen

@rootchick Anda memiliki kasus yang sama dengan saya, saya juga mengalami hal demikian dan sampai sekarang saya belum menemukan solusinya. Ketika VPN (wireguard) saya aktifkan, saya dapat menjangkau web app di server digital ocean. Namun ketikan tanpa aktifkan VPN, saya kembali tidak dapat mengakses website saya.

rootchick

@ontzuevanhussen said in Can't access client LANs from servers on DigitalOcean private cloud network behind OpenVPN on pfSense:

Anda memiliki kasus yang sama dengan saya, saya juga mengalami hal demikian dan sampai sekarang saya belum menemukan solusinya. Ketika VPN (wireguard) saya aktifkan, saya dapat menjangkau web app di server digital ocean. Namun ketikan tanpa aktifkan VPN, saya kembali tidak dapat mengakses website saya.

Hi @ontzuevanhussen, I ended up working around it by setting up an OpenVPN server on each location's router, and initiating the connection for each from the server I needed to be able to have access to those networks. For whatever reason it works as an outgoing connection from DigitalOcean but not an incoming one. I think DigitalOcean's must just be dropping the traffic. Anyway, it works this way and I am able to run my ansible playbooks from my server on systems on these locations' LANs. Somewhat annoying but it works.