Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing between roadwarrior VPN and WireGuard tunnel

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 366 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bart van Hest
      last edited by

      Hi guys,

      New pfSense user here.
      We, as a company, are preparing for a move to another location and we are re-doing our IT infrastructure to get rid of several old physical servers and a lot of legacy. For the new location we bought a Netgate 6100 router currently running the 23.05-RELEASE pfSense+ software and moved services to servers hosted in a datacenter.
      I asked for a TAC Pro subscription, but I do not have it yet, so I hope you guys can help me with this routing issue.

      Our basic setup is not (yet) that complicated:

      • Local on-premise LAN, 172.16.100.0/24 network.
      • Servers hosted in a datacenter, each of them connected as a WireGuard peer in a 172.16.130.0/24 network.
      • Road-warrior VPN to support remote workers. I have currently setup OpenVPN on a 192.168.150.0/24 network, IPv4 only to keep things simple. I temporarily chose the 192.168.x.x IP range to make sure that everybody knows that it is unstable test stuff. Later on this will be moved into the 172.16.x.x range.
        The remote clients should be able to access the 172.16.100.0 and 172.16.130.0 networks, other generic Internet traffic should not pass over the VPN.

      Now, LAN clients can access both local 172.16.100.x resources and 172.16.130.x resources without issues.
      However, remote OpenVPN clients can access 172.16.100.x resources without issues, but they are unable to connect to machines in the 172.16.130.0/24 network. As a test I also setup IPSec, with the same results (172.16.100.x reachable, 172.16.130.x unreachable)

      In the OpenVPN config I setup 192.168.150.0/24 as the tunnel network, unchecked 'force all client-generated traffic through the tunnel', tried both 172.16.0.0/16 and 172.16.100.0/24,172.16.130.0/24 as the 'IPv4 local networks'.

      Under Firewall/Rules/OpenVPN I have a single 'pass all' rule with source 192.168.150.0/24 and destination Any. The gateway in that rule is setup as 'Default', which should mean 'use system routing table'

      Remote PC connected over OpenVPN routing table:

      PS C:\Users\Bart van Hest> route  print
===========================================================================
Interface List
 75...00 ff a4 24 f9 ff ......TAP-Windows Adapter V9 for OpenVPN Connect
 31...0a 00 27 00 00 1f ......VirtualBox Host-Only Ethernet Adapter
 30...04 d9 f5 d1 e1 f2 ......Realtek Gaming GbE Family Controller #3
 81...........................OpenVPN Data Channel Offload
 22...40 74 e0 65 58 c5 ......Microsoft Wi-Fi Direct Virtual Adapter
 28...42 74 e0 65 58 c4 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 46...40 74 e0 65 58 c4 ......Intel(R) Wireless-AC 9260 160MHz #2
 37...40 74 e0 65 58 c8 ......Bluetooth Device (Personal Area Network) #2
  1...........................Software Loopback Interface 1
 63...00 15 5d 75 2c 10 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.3     192.168.0.50     25
      89.33.65.46  255.255.255.255      192.168.0.3     192.168.0.50    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     172.16.100.0    255.255.255.0    192.168.150.1    192.168.150.2    257
     172.16.130.0    255.255.255.0    192.168.150.1    192.168.150.2    257
     172.31.208.0    255.255.240.0         On-link      172.31.208.1   5256
     172.31.208.1  255.255.255.255         On-link      172.31.208.1   5256
   172.31.223.255  255.255.255.255         On-link      172.31.208.1   5256
      192.168.0.0    255.255.255.0         On-link      192.168.0.50    281
     192.168.0.50  255.255.255.255         On-link      192.168.0.50    281
    192.168.0.255  255.255.255.255         On-link      192.168.0.50    281
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    281
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    281
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    281
    192.168.150.0    255.255.255.0         On-link     192.168.150.2    257
    192.168.150.2  255.255.255.255         On-link     192.168.150.2    257
  192.168.150.255  255.255.255.255         On-link     192.168.150.2    257
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    281
        224.0.0.0        240.0.0.0         On-link      192.168.0.50    281
        224.0.0.0        240.0.0.0         On-link      172.31.208.1   5256
        224.0.0.0        240.0.0.0         On-link     192.168.150.2    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    281
  255.255.255.255  255.255.255.255         On-link      192.168.0.50    281
  255.255.255.255  255.255.255.255         On-link      172.31.208.1   5256
  255.255.255.255  255.255.255.255         On-link     192.168.150.2    257
===========================================================================

      Routes on the pfSense:

      default	89.33.65.33	UGS	16	1500	ix3	
89.33.65.32/28	link#8	U	3	1500	ix3	
89.33.65.34	link#10	UH	10	16384	lo0	
89.33.65.35	link#10	UH	11	16384	lo0	
89.33.65.39	link#10	UH	13	16384	lo0	
89.33.65.40	link#10	UH	14	16384	lo0	
89.33.65.44	link#10	UH	15	16384	lo0	
89.33.65.46	link#10	UHS	5	16384	lo0	
127.0.0.1	link#10	UH	4	16384	lo0	
172.16.100.0/24	link#1	U	8	1500	igc0	
172.16.100.254	link#10	UHS	9	16384	lo0	
172.16.130.0/24	link#13	U	1	1500	tun_wg0	
172.16.130.254	link#10	UHS	2	16384	lo0	
192.168.1.0/24	link#4	U	6	1500	igc3	
192.168.1.1	link#10	UHS	7	16384	lo0	
192.168.150.0/24	link#14	U	17	1500	ovpns1	
192.168.150.1	link#10	UHS	18	16384	lo0

      (we do have multiple external IP adresses for now where the .46 is used for LAN/internet stuff. The others are mapped using 1:1 NAT to existing servers that will disappear when we move. I do not think this is relevant to the current problem)

      When I start a tcpdump -i wg0 icmp on 172.16.130.5 and run a ping 172.16.130.5 from the OpenVPN-connected PC I see nothing, so I suspect that the packets are simply not routed from the ovpns1 interface to the tun_wg0 interface. I do see the requests and replies when I start the ping from a LAN-attached machine.

      I have also tried an IPSec/IKEv2 mobile VPN according to the tutorial to have a bit of comparison, with the same results. 172.16.100.x is perfectly reachable, 172.16.130.x is not.

      I have a gut feeling that I have to assign OPTx interfaces to the ovpns1/tun_wg0 network ports and then do something with routing/NAT, but this is where I get stuck.
      Can somebody point me in the right direction?

      Best regards,
      Bart van Hest

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.