Openvpn site to site problem
I connect my pfsense ovpn client to my ovpn pfsense server without problems. The problem I have is I can't get computers connected on the local subnet (192.168.1.0) to communicate with resources over the VPN (on the 192.168.2.0 subnet). BUT I can ping those resources right from the OVPN client interface of pfsense.
Local subnet 192.168.1.0 Local subnet 192.168.2.0
OVPN CLIENT OVPN SERVER
192.168.99.6 G/W: 192.168.99.5 192.168.99.1
I've tried specifiing static routes that look like this
G/W: 192.168.99.6 (or 192.168.99.5) tried both
Still no luck… any ideas?
To clarify my problem
how do I get my local subnet to be able to ping the remote subnet over the tunnel knowing that I can ping the remote subnet from the tunnel interface itself.
Assuming that this is a PSK setup:
You need to add route commands to both sides for the subnet on the other side.
(in the form of: "route 192.168.1.0 255.255.255.255" / "route 192.168.2.0 255.255.255.0")
And read a few of the threads in this forum.
(This is like the 10th time this exact issue has come up in the last month alone).
so this is where I get confused.
Where do I put these routes? In the server config? or the client config or both?
so on the client config under custom options I would add
route 192.168.2.0 255.255.255.0
and on the server config
route 192.168.1.0 255.255.255.0
New error now when specifing route command
Nov 11 16:08:54 openvpn: Use –help for more information.
Nov 11 16:08:54 openvpn: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server1.conf:30: route 192.168.1.0 255.255.255.0 (2.0.6)
Nov 11 16:08:53 openvpn: SIGTERM[hard,] received, process exiting
Nov 11 16:08:52 openvpn: /etc/rc.filter_configure tun1 1500 1544 192.168.99.1 192.168.99.2 init
Nov 11 16:08:52 openvpn: event_wait : Interrupted system call (code=4)
Yes you put that into the "custom options" field.
Alternatively you can just specify the remote subnet in the "Remote network" field (in normal CIDR notation).
In which field did you put the route command?
You wrote that you tried to add static routes.
Do you have that still there?
Thank you for your help so far. To answer :
I deleted the static routes from my attempts before.
I add in the custom options field on client
"route 192.168.2.0 255.255.255.0" and systems logs > openvpn pops the above mentioned error
I add in the custom options field on server
"route 192.168.1.0 255.255.255.0" and systems logs > openvpn pops the above mentioned error
Can't seem to find were I am going wrong here.
Something i just noticed:
You have as IPs for the OpenVPN connection these:
192.168.99.6 G/W: 192.168.99.5
That suggests that you don't actually have a PSK but a PKI.
Can you clarify?
ah yes… it is "shared key" and not PKI.
Can you please show a copy of your config on the server and the client side?
Your description is inconsistent and i think the complete config is the fastest way to see what you actually have :)
Sorry I was wrong it is PKI
Server config :
keepalive 10 60
server 192.168.99.0 255.255.255.0
push "dhcp-option DOMAIN rgo.ab.ca"
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option DNS 192.168.5.1"
push "dhcp-option WINS 192.168.2.1"
push "dhcp-option WINS 192.168.5.1"
push "dhcp-option NBT 1"
push "redirect-gateway def1"
route 192.168.1.0 255.255.255.0
Now that this is clear: IMO you should drop the PKI altogether and set up a shared key setup.
Site-to-site is just easier to manage.
Please read the stickies !
Also reading the example setups for OpenVPN from their homepage doesnt hurt either.
If you insist on setting site-to-site with a PKI up, you should read the sticky http://forum.pfsense.org/index.php/topic,12888.0.html
If you'll go with a PSK: enter the same key on both sides, add the route command, done.
It's up and running. I scrapped what I had correlated my subnets to the ones in the sticky you mentioned and followed it step by step.
Thank you so much for your help!