Route trouble openvpn

tunge2

We have two pfsense machines
On one pfsense machine we installed the openvpn server software and on the other PFsense machine the openvpn client software. The openvpn connection between the two pfsense machines are working (ping goes both ways) fine

Now comes the problem: We want our home user to make connection to Loc1 (that’s working) and through Loc1 to Loc2 to that subnet (192.168.10.0/24). I can ping with loc3 the openvpn ipadres of loc1 and loc2. But not the ip of the subnet behind loc2. If i do a traceroute from Loc3 to 192.168.10.254 the route goes through 192.168.12.1 and stops (time outs)

So the question is how (and is it possible) can i resolve this?

Loc1: openvpn server (192.168.12.1  192.168.254.0/24)
protocol                       tcp
locale port                     1194
adresspool                     192.168.12.0/24
local network                 192.168.254.0/24
remote network              nothing
Client-to-client               set/yes
Custom options               duplicate-cn;user root;group wheel;management 127.0.0.1 21194;push "route 192.168.10.0 255.255.255.0";

Loc2: Openvpn client (192.168.12.6  other subnet  192.168.10.0/24)
Server address our public ip
Server port 1194
Interface IP 192.168.12.6/24
Custom options none

Loc3: Openvpn (home user 192.168.12.10) client
Remote our public ip
Port 1194
proto tcp
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client

jimp

Are you using shared key or PKI?

tunge2

I use PKI

jimp

Then you don't need to do a push route, but a "route" line (just remove the word "push") and then you need to add an entry on the client-specific-config tab that matches the the name of the loc2 certificate, and put "iroute 192.168.10.0 255.255.255.0;" in the custom options box there.

That will tell openvpn to (1) know that it needs to route traffic for 192.168.10.x, and (2) add an internal route for that subnet to the client connecting with loc2's certificate.

tunge2

That doesn't work. But if i set "Redirect Gateway" on by  Client-specific configuration. it works.  But that is not what i want…Beside that i can't open any websites if i turn Redirect Gateway on. I can only access the internal subnets

jimp

You can try adding a push entry again for that subnet, or adding a route statement for the subnet to the loc3 client config.

tunge2

@jimp:

You can try adding a push entry again for that subnet, or adding a route statement for the subnet to the loc3 client config.

Yes it works!!!!! thanks Ive add a route to the loc3 client config