OpenVPN from East coast to West coast



  • OK - For anyone who read this thread of mine: http://forum.pfsense.org/index.php/topic,21772.msg111927.html#msg111927
    Now I have the VPN actually setup in their physical locations. I have the site-to-site VPN from west to east working. West side is the OpenVPN server. East side is the client. This part works fine. I can ping any system on both sides over the VPN.
    East side IP: 192.168.100.1 (192.168.100.0/24)
    West side IP: 192.168.200.1 (192.168.200.0/24)

    The problem I have now:
    I have a Roadwarrior VPN setup in OpenVPN on the east side. I have a VPN client in another location that is NOT on the same network as either the East or West sides. The client connects to the East side just fine. I can ping 192.168.100.1 from the roadwarrior VPN client. However, I CANNOT ping 192.168.200.1 from the roadwarrior VPN client when connected to the East side. Please note that I have not yet setup a roadwarrior VPN on the West side YET. That is coming soon. I would like to figure out this issue before I do so.

    I have tried disabling blocking of private networks on both sides on the WAN interface.
    I have tried creating a firewall rule on both East and West sides that allows any traffic from source 192.168.200.0/24 to be allowed.
    I have tried creating a firewall rule on both East and West sides that allows any traffice to desination 192.168.200.0/24 to be allowed.
    I have tried adding this on the East side roadwarrior VPN server: push "route 192.168.200.0 255.255.255.0"

    No luck.
    Any ideas or thoughts?



  • How is the site-to-site VPN done?
    With a shared key or a PKI?

    Basically: you need to add the route for the roadwarrior subnet to the other side of the tunnel.
    Additionally you have to push the routes for the other side to the connection roadwarriors (you seem to have done this).

    –>
    Roadwarrior-server on east-side.
    Push to the connection clients the subnet of the westside: (push "route 192.168.200.0 255.255.255.0")
    Site-to-site client on the westside.
    Add a route for the subnet of the roadwarriors (route subnet_of_your_roadwarriors mask_of_your_roadwarriors)



  • The site-to-site VPN is done via shared key.

    Site-to-site client on the westside.
    Add a route for the subnet of the roadwarriors (route subnet_of_your_roadwarriors mask_of_your_roadwarriors)

    Where do I add this part? At the cli of westside? Or is it a static route?
    The subnet of the roadwarrior VPN (for clients) is 192.168.60.0/24



  • Please keep in mind that the pfSense webgui is nothing more than an easier way to create a standard-config file for the openVPN process.
    There is no magic involved ;)
    If you look at the man-pages of OpenVPN you will see all options which are available.

    To add you own options to the resulting config file you can add whatever you want to the "custom options" field.
    In your case you have to add
    route 192.168.30.0 255.255.255.0



  • I looked at my routing table:
    192.168.100.0/24 192.168.50.2 UGS 0 1931933 1500 tun0

    So I added a static route and now it looks like this:
    192.168.60.0/24 192.168.50.2 UGS 0 4 1500 tun0

    And now it works! I can ping 192.168.200.1 and any other IP from the eastside client! Thank you so very, very, very much, Gruens!!!



  • The only other issue I am having now is attemping to ping 192.168.100.2 from a roadwarrior VPN client connected to the westside roadwarrior VPN I just setup.
    192.168.100.2 is a Linksys wireless router setup as just an access point (no routing). Nothing is connected to the WAN interface on it.

    Then, I have trouble pinging 192.168.200.241 or 192.168.200.242 (both Win 7 systems) from the roadwarrior client when it is connected to the eastside. However, that seems to be a firewal issue. I enabled file and printer sharing on both systems and that allows any client on the 192.168.200.0/24 subnet to ping 192.168.200.241 and 192.168.200.242, but I have to disable the Windows firewall completely in order for the Eastside roadwarrior client to ping 192.168.200.241 or 192.168.200.242.

    Any thoughts?



  • I looked at my routing table:
    192.168.100.0/24 192.168.50.2 UGS 0 1931933 1500 tun0

    So I added a static route and now it looks like this:
    192.168.60.0/24 192.168.50.2 UGS 0 4 1500 tun0

    And now it works! I can ping 192.168.200.1 and any other IP from the eastside client! Thank you so very, very, very much, Gruens!!!

    This is not how you should do it…
    While it might work (most of the time) it's now how it is intended.
    Use the route command !

    The only other issue I am having now is attemping to ping 192.168.100.2 from a roadwarrior VPN client connected to the westside roadwarrior VPN I just setup.
    192.168.100.2 is a Linksys wireless router setup as just an access point (no routing). Nothing is connected to the WAN interface on it.

    Then, I have trouble pinging 192.168.200.241 or 192.168.200.242 (both Win 7 systems) from the roadwarrior client when it is connected to the eastside. However, that seems to be a firewal issue. I enabled file and printer sharing on both systems and that allows any client on the 192.168.200.0/24 subnet to ping 192.168.200.241 and 192.168.200.242, but I have to disable the Windows firewall completely in order for the Eastside roadwarrior client to ping 192.168.200.241 or 192.168.200.242.

    Any thoughts?

    For the westside the same applies as for the eaststide.
    You need to add the route command to the config on the other side.

    For problems with the windows-firewall i cannot really help (i usually just disable it completly).



  • @GruensFroeschli:

    This is not how you should do it…
    While it might work (most of the time) it's now how it is intended.
    Use the route command !

    For the westside the same applies as for the eaststide.
    You need to add the route command to the config on the other side.

    Ok, I can do this. But do you mean at the command line? If so, would this not be erased if the router is rebooted? Or is there another place to add the route command?



  • …. Read my last 3 replys in this thread again ...



  • Ah I see now. Sorry, I overlooked that.


Locked