Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open VPN Remote Access Routing to specific TLS Client needs special CSO treatment. (2.7.2)

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 108 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bambos
      last edited by Bambos

      Hello everyone,

      i'm facing a strange issue and i don't know if this is a bug or a missconfiguration.

      I have many Open VPN SSL\TLS Clients connecting to OpenVPN Server.
      Tunnel is 172.18.1.59/24 for LAN 59 , 172.18.1.60/24 for LAN 60 etc... straight and square. Topology like below:

      2f60664c-6240-43bf-bb77-2c2567811641-image.png

      All clients with Specific overrides only for the tunnel peer IP and for the remote network behind it, like below.

      a293467e-12e4-464a-95e2-f2d7e6ca90c0-image.png

      In parallel, i have another instance of Open VPN remote Access Server, and the users have the tunnel IP range 172.16.13.0/24. So if a user is connected to the VPN Server , it can access also the remote networks of TLS Clients.

      The Issue is that one specific client (LAN60), can't recognize the traffic coming from the remote access tunnel with the range 172.16.13.0/24 (no ping / no access from remote connection), but from the central pfSense it pings, meaning from 172.18.1.1.

      So in order to troubleshoot that, i have updated the client specific override for this specific client like below. With below setting it works !

      1d6d4f19-6578-4c16-8abb-4e0ce83d1d34-image.png

      all pfsense systems are 2.7.2 version.

      My question is : why from all those clients, only this specific device needs that setting ?? obviously is getting that as routing inside open vpn as existing routed network over this tunnel and then is working, but why the other clients don't need that ?
      i have checked on LAN60 pfsense and there is no conflict with this range. Also note that was working like all the other clients for many months without problem and without the extra setting in CSO.

      Any comments appreciated.

      1 Reply Last reply Reply Quote 0
      • B
        Bambos
        last edited by

        Update:

        I had the same issue today, configuring another client with the same topology.
        This time i had another pfsense 2.7.2 needed the extra routing on CSO when i created a remote access open VPN Server on the same pfSense.

        I lost access suddenly during configuration, and then i had to use again Client specific override for the VPN Tunnel in order to communicate again. Based on above, it seems that Open VPN inter-routing acting strangely.

        Is this a miss-configuration from my side, and i should always have that extra routing for the remote access tunnel ? or is a bug in the OpenVPN implementation on pfSense ?? Still i'm wondering why some instances working and some not.

        Please, awaiting for any comments and if someone faced that again in the past.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.