Routing issue for OpenVPN Clients

  • Hi Folks,

    i have a little routing issue and hope someone can help me here as i have no more ideas howto solve it.
    So here are first some Ascii Diagrams so you know how it looks.


    DSL-Line1                                                                                                                                        DSL-Line2
    PPPOE                                                                                                                                              PPPOE
     |                                                                                                                                                        |
     |                                                                                                                                                        |
    pfSense-Box(OpenVPN Server with PKI  for Roadwarrior)                                            DSL/VPN Router 2 (makes astral IPSEC Net to NET Connection to Office 2-4)
    Lan static route via                      Lan ( Has static route via
     |                                                                                                                                                         |                        
     |                                                                                                                          |
                    Client x

    Office 2:

     DSL/VPN Router (makes IPSEC net to net connection to Office1)
     Lan (Has static route via
        Client x

    The pfSense Box at Office 1 acts as default gateway for the Clients in that Lan  and has also OpenVPN activated to let access people from "the road" Office 1 Net.
    The second Router at Office 1 with its own DSL Line is only there to make a VPN Net to Net Connection
    Office 2.
    On the pfSense box i have setup a static Route, net and gateway so the Clients at
    Office 1 can reach Office2 and vice versa. This is working so far.

    However when i am connected from home via OpenVPN to Office 1 i also want to be able to reach Office2 over
    Router 2 from Office1.
    At OpenVPN Server config i have set for OpenVPN IP client pool and reachable net
    The OpenVPN server is pushing Office2 net to his client via extra options.

    push "route"
    push "route"
    push "route"

    Router2 at Office 1 has a static route gateway
    And the Router at Office 2 gateway

    My routing table from home connected via OpenVPN: UGH   0      0        0 tun0 UH    0      0        0 tun0   UG    0      0        0 tun0   U     0      0        0 eth0   UG    0      0        0 tun0   UG    0      0        0 tun0   UG    0      0        0 tun0         UG    0      0        0 eth0

    And on the pfSense Box:

    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            x.x.x.x            UGS         0  1570647    ng0
    x.x.x.x           lo0                UHS         0        0    lo0          UH          0        0    lo0    link#2             UC          0        0    vr1       x❌x:12:ff:d7     UHLW        4        0    vr1    764       UGS         0   225534   tun0       UH          1        0   tun0       UGS         0  3639777    vr1       UGS         0   298924    vr1       UGS         0   298910    vr1       UGS         0   296292    vr1
    x.x.x.x      x.x.x.x       UH          1    72895    ng0

    Traceroute to Office 2 while being connected via OpenVPN ends at Router2.

    traceroute to (, 30 hops max, 40 byte packets
    1 (  68.893 ms  70.798 ms  90.898 ms
    2 (  90.905 ms  92.740 ms  94.700 ms

    Traceroute from Office2 to my local OpenVPN IP:

    traceroute.lbl to (, 30 hops max, 40 byte packets
    1 (  0.801 ms  0.401 ms  0.341 ms
    2  *

    Traceroute from Office2 to pfSense Box

    traceroute.lbl to (, 30 hops max, 40 byte packets
    1 (  1.523 ms  0.481 ms  0.420 ms
    2 (  68.998 ms  72.004 ms  73.246 ms
    3  * *

    Traceroute from Office2 to Server at Office1

    traceroute.lbl to (, 30 hops max, 40 byte packets
    1 (  0.841 ms  0.401 ms  0.341 ms
    2 (  67.915 ms  73.246 ms  77.355 ms
    3 (  69.820 ms  65.992 ms  67.735 ms

    Any hints how to solve this?

    P.S There is also Office 3 and 4 (.30.x and .40.x) Which should also be reachale like Office 2 but i have kept it out to keep it more simple.


    No one with an idea what the problem could be? Any Information missing?
    As far as i know the pfSense box should automatic route the traffic from the OpenVPN net to the other office nets or?
    Searched this forum  and other sources but didnt found out what the problem could be.

  • So no one with an idea or hint??

    I can ping pfSense on its LAN IP while being connected from extern via OpenVPN but traceroute dont work. I think this is one of the problem. The second Office router has  the static route of pfSense box LAN IP as gw for the OpenVPN net.

    traceroute to (, 30 hops max, 40 byte packets
    1  * * *

    PING ( 56(84) bytes of data.
    64 bytes from icmp_seq=1 ttl=64 time=68.5 ms

  • How do you connect from home?
    To the same server than you use for the site-to-site connection?

    I wouldn't suggest such a setup.
    While it's doable, it introduces a lot of complexity.

    Is the current site-to-site set up using a PKI? (just because you're using pushes).

  • I have OpenVPN Server with PKI activated on the pfSense Box and connecting that way into the main Office net.
    And i can reach all hosts in that net via ping and traceroute also the second router which makes the net to net connections to the other offices. But routing to the other Office nets dont work when connected via OpneVPN from extern. Traceroute always ends at the second VPN router
    And i has to get it running this way. :( I never thought it will be that hard. What i dont understand is why the pfSense box is not routing the traffic correctly!?

    the OpenVPN Server Confi on the pfSense box:

    writepid /var/run/
    #user nobody
    #group nobody
    keepalive 10 60
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-config-dir /var/etc/openvpn_csc
    push "route"
    lport 1194
    push "dhcp-option WINS"
    push "dhcp-option NBT 2"
    ca /var/etc/
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    crl-verify /var/etc/openvpn_server0.crl
    push "route"
    push "route"
    push "route"
    management 1194

  • I dont think it's a problem of the VPN, but of your router-config at office2.
    What i'm missing in the picture is, what subnet is in the tunnel between office1 and office2.

    Your static route at office2 points for the openVPN subnet to
    But that's the local IP on site1.
    What is the gateway IP of the router in office2 to reach office1?

  • I edited the ascii diagrams to make it more clear.

    There is no tunnel between Office 1 and 2 like in OpenVPN routing mode. Router 2 at Office 1 and the Router at Office 2 are making a IPSEC net to net connection.

    So the static routes should be ok like in the ascii diagram i think. But still an Roadwarrior traceroute to Office 2 ends always at  ???

