Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route trouble openvpn

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tunge2
      last edited by

      We have two pfsense machines
      On one pfsense machine we installed the openvpn server software and on the other PFsense machine the openvpn client software. The openvpn connection between the two pfsense machines are working (ping goes both ways) fine

      Now comes the problem: We want our home user to make connection to Loc1 (that’s working) and through Loc1 to Loc2 to that subnet (192.168.10.0/24). I can ping with loc3 the openvpn ipadres of loc1 and loc2. But not the ip of the subnet behind loc2. If i do a traceroute from Loc3 to 192.168.10.254 the route goes through 192.168.12.1 and stops (time outs)

      So the question is how (and is it possible) can i resolve this?

      Loc1: openvpn server (192.168.12.1  192.168.254.0/24)
      protocol                       tcp
      locale port                     1194
      adresspool                     192.168.12.0/24
      local network                 192.168.254.0/24
      remote network              nothing
      Client-to-client               set/yes
      Custom options               duplicate-cn;user root;group wheel;management 127.0.0.1 21194;push "route 192.168.10.0 255.255.255.0";

      Loc2: Openvpn client (192.168.12.6  other subnet  192.168.10.0/24)
      Server address our public ip
      Server port 1194
      Interface IP 192.168.12.6/24
      Custom options none

      Loc3: Openvpn (home user 192.168.12.10) client
      Remote our public ip
      Port 1194
      proto tcp
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      dev tun
      proto tcp-client

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Are you using shared key or PKI?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          tunge2
          last edited by

          I use PKI

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Then you don't need to do a push route, but a "route" line (just remove the word "push") and then you need to add an entry on the client-specific-config tab that matches the the name of the loc2 certificate, and put "iroute 192.168.10.0 255.255.255.0;" in the custom options box there.

            That will tell openvpn to (1) know that it needs to route traffic for 192.168.10.x, and (2) add an internal route for that subnet to the client connecting with loc2's certificate.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • T
              tunge2
              last edited by

              That doesn't work. But if i set "Redirect Gateway" on by  Client-specific configuration. it works.  But that is not what i want…Beside that i can't open any websites if i turn Redirect Gateway on. I can only access the internal subnets

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You can try adding a push entry again for that subnet, or adding a route statement for the subnet to the loc3 client config.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • T
                  tunge2
                  last edited by

                  @jimp:

                  You can try adding a push entry again for that subnet, or adding a route statement for the subnet to the loc3 client config.

                  Yes it works!!!!! thanks Ive add a route to the loc3 client config

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.