Route trouble openvpn
-
We have two pfsense machines
On one pfsense machine we installed the openvpn server software and on the other PFsense machine the openvpn client software. The openvpn connection between the two pfsense machines are working (ping goes both ways) fineNow comes the problem: We want our home user to make connection to Loc1 (that’s working) and through Loc1 to Loc2 to that subnet (192.168.10.0/24). I can ping with loc3 the openvpn ipadres of loc1 and loc2. But not the ip of the subnet behind loc2. If i do a traceroute from Loc3 to 192.168.10.254 the route goes through 192.168.12.1 and stops (time outs)
So the question is how (and is it possible) can i resolve this?
Loc1: openvpn server (192.168.12.1 192.168.254.0/24)
protocol tcp
locale port 1194
adresspool 192.168.12.0/24
local network 192.168.254.0/24
remote network nothing
Client-to-client set/yes
Custom options duplicate-cn;user root;group wheel;management 127.0.0.1 21194;push "route 192.168.10.0 255.255.255.0";Loc2: Openvpn client (192.168.12.6 other subnet 192.168.10.0/24)
Server address our public ip
Server port 1194
Interface IP 192.168.12.6/24
Custom options noneLoc3: Openvpn (home user 192.168.12.10) client
Remote our public ip
Port 1194
proto tcp
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client -
Are you using shared key or PKI?
-
I use PKI
-
Then you don't need to do a push route, but a "route" line (just remove the word "push") and then you need to add an entry on the client-specific-config tab that matches the the name of the loc2 certificate, and put "iroute 192.168.10.0 255.255.255.0;" in the custom options box there.
That will tell openvpn to (1) know that it needs to route traffic for 192.168.10.x, and (2) add an internal route for that subnet to the client connecting with loc2's certificate.
-
That doesn't work. But if i set "Redirect Gateway" on by Client-specific configuration. it works. But that is not what i want…Beside that i can't open any websites if i turn Redirect Gateway on. I can only access the internal subnets
-
You can try adding a push entry again for that subnet, or adding a route statement for the subnet to the loc3 client config.
-
You can try adding a push entry again for that subnet, or adding a route statement for the subnet to the loc3 client config.
Yes it works!!!!! thanks Ive add a route to the loc3 client config