set up pfSense as additional gateway into VPNs

sgw

I installed mtr on the ovpn-server.

A ping to the LAN-IP of the ovpn-client should go through the tunnel, I also see according rules in the ovpn-routing-table. But not in the general routing table ... I assume that's correct this way, it looks similar for the ~20 other ovpn-clients.

The mtr run shows that the ICMP-packet is routed to the default gateway instead.
That's wrong.

viragomann

@sgw
On the OpenVPN server you have to specify the remote networks correctly to get the routes set.
And also you need to create a client specific override for the client and as well specify the remote networks there.

Are you missing these settings?

sgw

@viragomann thanks

no, I have these ... see the CSC:

in IPv4 Tunnel Network I set a specific Tunnel IP for that client: 172.31.0.121/23
in IPv4 Local Networks I add the server side LAN to be reached: 192.168.1.0/24
in IPv4 Remote Networks I have the client side LAN subnet: 192.168.8.0/24

That's all. I do it like this all the time for ~20 clients ...

This client is only different in using only LAN.

On the client I see a route to the server LAN in Diagnostics/Routes.
On the server the routes to the ovpn-client-LANs are not there, but visible in Status / OpenVPN / Routing Table

And they look similar for a working and that non-working client:

sg1100_19	88.xxx:30322	172.31.0.78	2025-04-11 12:36:43
sg1100_19	88.xxx:30322	192.168.118.0/24	2025-04-10 13:03:28
sg1100_21	185.yyy:23417	192.168.8.0/24	2025-04-11 12:30:27
sg1100_21	185.yyy:23417	172.31.0.121	2025-04-11 12:36:43

That's the strange thing: it looks correct.

sgw

@viragomann said in set up pfSense as additional gateway into VPNs:

On the OpenVPN server you have to specify the remote networks correctly to get the routes set.

I define that in the CSCs for the clients. The OpenVPN-server itself doesn't have to be adjusted when adding clients, at least as far as I know. I only edit that in the CSCs. Right?

sgw

What I see and what looks suspicious:

the Default Gateway IPv4 on the ovpn-server-side points to a specific gateway and is not set to "Automatic".

For all the other clients it works but the routing for this one client is wrong:

when I mtr from the server to the client side the packets are sent to def gw and not into the ovpn-tunnel

viragomann

@sgw
As mentioned, client sites networks have to be specified once in the server settings at "remote networks" and again in the CSO.

If they are missed in the server settins pfSense doesn't add routes.

sgw

@viragomann

I don't see where to add that, and I didn't do that for the other clients.

VPN/ Server/ OpenVPN/ Servers/ Edit ?

used Search in Browser, not found ;-)

sgw

currently it seems to work after adding a NAT outbound rule on the client

OpenVPN 192.168.8.0/24 * 192.168.1.0/24

we test now

sgw

That outbound rule editing changed something, as if there was something changed under the hood.

Right now the admin there is able to access systems on the other side of the tunnel, as intended.

Nothing changed on the OpenVPN server, btw.

That NATing isn't fully correct still

What I'd like to have:

• server side IP should be able to ping a PC on the client side
• server side VM should be able to access a system on the client side, with a mapped IP in the client LAN

currently I have this, and rebooted for a check, the admin is able to access a server VM via RDP: GREAT, but not 100% yet ;-)

THANKS so far, I think I need some time afk now soon

viragomann

@sgw
Yeah, outbound NAT rules (masquerading) can be used to circumvent missing routes.
I'd rather set the routes properly, but depends on the use-case.

sgw

@viragomann I agree but I repeat: where to set these routes? See question above. Thanks.

viragomann

@sgw
The "Remote networks" field is only available in peer to peer server mode. But this is, what you should set up for your use case.

sgw

@viragomann Ah, that explains why it feels like barking up the wrong tree ;-)

I hope I can run that in parallel to the other openvpn-server? (separate port, sure).

Thanks so far, have a nice weekend!

viragomann

@sgw
Yes, of course you can run multiple OpenVPN servers for different purposes.

sgw

I set that up on the server site pfSense.

For the peer to peer VPN there is no Client Export, so I assume I have to set up a Server on the other site as well, also in Peer2Peer-Mode? For sure I browse the docs in a minute.

looking forward to solve this ;-)

EDIT: I see, seems I can follow this for example. So not a 2nd server but a specific client config. Will try monday or so.