Routing issue for OpenVPN Clients



  • Hi Folks,

    i have a little routing issue and hope someone can help me here as i have no more ideas howto solve it.
    So here are first some Ascii Diagrams so you know how it looks.

    Office1:

    DSL-Line1                                                                                                                                        DSL-Line2
    PPPOE                                                                                                                                              PPPOE
     |                                                                                                                                                        |
     |                                                                                                                                                        |
    pfSense-Box(OpenVPN Server with PKI  for Roadwarrior)                                            DSL/VPN Router 2 (makes astral IPSEC Net to NET Connection to Office 2-4)
    Lan 192.168.10.1(Has static route 192.168.20.0/24 via 192.168.10.4)                      Lan 192.168.10.4 ( Has static route 192.168.12.0/24 via 192.168.10.1)
     |                                                                                                                                                         |                        
     | 192.168.10.0/24                                                                                                                          |
     –-------------switch-----------------------------------------------------------------------------------------------------
                    |
                    Client x

    Office 2:

    DSL-Line
     PPPOE
       |
       |
     DSL/VPN Router (makes IPSEC net to net connection to Office1)
     Lan 192.168.20.1 (Has static route 192.168.12.0/24 via 192.168.10.4)
               |  
       | 192.168.20.0/24
             --------------  
                  |
        Client x

    The pfSense Box at Office 1 acts as default gateway for the Clients in that Lan  and has also OpenVPN activated to let access people from "the road" Office 1 Net.
    The second Router at Office 1 with its own DSL Line is only there to make a VPN Net to Net Connection
    to
    Office 2.
    On the pfSense box i have setup a static Route, net 192.168.20.0 and gateway 192.168.10.4 so the Clients at
    Office 1 can reach Office2 and vice versa. This is working so far.

    However when i am connected from home via OpenVPN to Office 1 i also want to be able to reach Office2 over
    Router 2 from Office1.
    At OpenVPN Server config i have set 192.168.12.0 for OpenVPN IP client pool and reachable net 192.168.10.0.
    The OpenVPN server is pushing Office2 net to his client via extra options.

    push "route 192.168.20.0 255.255.255.0"
    push "route 192.168.30.0 255.255.255.0"
    push "route 192.168.40.0 255.255.255.0"

    Router2 at Office 1 has a static route 192.168.12.0/24 gateway 192.168.10.1
    And the Router at Office 2 192.168.12.0/24 gateway 192.168.10.4

    My routing table from home connected via OpenVPN:

    192.168.12.1    192.168.12.5    255.255.255.255 UGH   0      0        0 tun0
    192.168.12.5    0.0.0.0         255.255.255.255 UH    0      0        0 tun0
    192.168.20.0    192.168.12.5    255.255.255.0   UG    0      0        0 tun0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    192.168.30.0    192.168.12.5    255.255.255.0   UG    0      0        0 tun0
    192.168.10.0    192.168.12.5    255.255.255.0   UG    0      0        0 tun0
    192.168.40.0    192.168.12.5    255.255.255.0   UG    0      0        0 tun0
    0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

    And on the pfSense Box:

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            x.x.x.x            UGS         0  1570647    ng0
    x.x.x.x           lo0                UHS         0        0    lo0
    127.0.0.1          127.0.0.1          UH          0        0    lo0
    192.168.10.0/24    link#2             UC          0        0    vr1
    192.168.10.4       x❌x:12:ff:d7     UHLW        4        0    vr1    764
    192.168.12.0/24    192.168.12.2       UGS         0   225534   tun0
    192.168.12.2       192.168.12.1       UH          1        0   tun0
    192.168.20.0/24    192.168.10.4       UGS         0  3639777    vr1
    192.168.30.0/24    192.168.10.4       UGS         0   298924    vr1
    192.168.40.0/24    192.168.10.4       UGS         0   298910    vr1
    192.168.200.0/24   192.168.10.4       UGS         0   296292    vr1
    x.x.x.x      x.x.x.x       UH          1    72895    ng0

    Traceroute to Office 2 while being connected via OpenVPN ends at Router2.

    traceroute to 192.168.20.1 (192.168.20.1), 30 hops max, 40 byte packets
    1  192.168.12.1 (192.168.12.1)  68.893 ms  70.798 ms  90.898 ms
    2  192.168.10.4 (192.168.10.4)  90.905 ms  92.740 ms  94.700 ms

    Traceroute from Office2 to my local OpenVPN IP:

    traceroute.lbl to 192.168.12.6 (192.168.12.6), 30 hops max, 40 byte packets
    1  192.168.20.1 (192.168.20.1)  0.801 ms  0.401 ms  0.341 ms
    2  *

    Traceroute from Office2 to pfSense Box

    traceroute.lbl to 192.168.10.1 (192.168.10.1), 30 hops max, 40 byte packets
    1  192.168.20.1 (192.168.20.1)  1.523 ms  0.481 ms  0.420 ms
    2  192.168.10.4 (192.168.10.4)  68.998 ms  72.004 ms  73.246 ms
    3  * *

    Traceroute from Office2 to Server at Office1

    traceroute.lbl to 192.168.10.2 (192.168.10.2), 30 hops max, 40 byte packets
    1  192.168.20.1 (192.168.20.1)  0.841 ms  0.401 ms  0.341 ms
    2  192.168.10.4 (192.168.10.4)  67.915 ms  73.246 ms  77.355 ms
    3  192.168.10.2 (192.168.10.2)  69.820 ms  65.992 ms  67.735 ms

    Any hints how to solve this?

    P.S There is also Office 3 and 4 (.30.x and .40.x) Which should also be reachale like Office 2 but i have kept it out to keep it more simple.

    Rohloff



  • bump

    No one with an idea what the problem could be? Any Information missing?
    As far as i know the pfSense box should automatic route the traffic from the OpenVPN net to the other office nets or?
    Searched this forum  and other sources but didnt found out what the problem could be.

    Oh and i dont get any money for this. ;)

    Rohloff



  • So no one with an idea or hint??

    I can ping pfSense on its LAN IP while being connected from extern via OpenVPN but traceroute dont work. I think this is one of the problem. The second Office router has  the static route of pfSense box LAN IP as gw for the OpenVPN net.

    traceroute 192.168.10.1
    traceroute to 192.168.10.1 (192.168.10.1), 30 hops max, 40 byte packets
    1  * * *

     ping 192.168.10.1
    PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
    64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=68.5 ms
    


  • How do you connect from home?
    To the same server than you use for the site-to-site connection?

    I wouldn't suggest such a setup.
    While it's doable, it introduces a lot of complexity.

    Is the current site-to-site set up using a PKI? (just because you're using pushes).



  • I have OpenVPN Server with PKI activated on the pfSense Box and connecting that way into the main Office net.
    And i can reach all hosts in that net via ping and traceroute also the second router which makes the net to net connections to the other offices. But routing to the other Office nets dont work when connected via OpneVPN from extern. Traceroute always ends at the second VPN router
    And i has to get it running this way. :( I never thought it will be that hard. What i dont understand is why the pfSense box is not routing the traffic correctly!?

    the OpenVPN Server Confi on the pfSense box:

    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    server 192.168.12.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 192.168.10.0 255.255.255.0"
    lport 1194
    push "dhcp-option WINS 192.168.10.2"
    push "dhcp-option NBT 2"
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    crl-verify /var/etc/openvpn_server0.crl
    comp-lzo
    persist-remote-ip
    float
    push "route 192.168.20.0 255.255.255.0"
    push "route 192.168.30.0 255.255.255.0"
    push "route 192.168.40.0 255.255.255.0"
    management 127.0.0.1 1194



  • I dont think it's a problem of the VPN, but of your router-config at office2.
    What i'm missing in the picture is, what subnet is in the tunnel between office1 and office2.

    Your static route at office2 points for the openVPN subnet to 192.168.10.4.
    But that's the local IP on site1.
    What is the gateway IP of the router in office2 to reach office1?



  • I edited the ascii diagrams to make it more clear.

    There is no tunnel between Office 1 and 2 like in OpenVPN routing mode. Router 2 at Office 1 and the Router at Office 2 are making a IPSEC net to net connection.

    So the static routes should be ok like in the ascii diagram i think. But still an Roadwarrior traceroute to Office 2 ends always at 192.168.10.4.  ???


Log in to reply