Route trouble openvpn



  • We have two pfsense machines
    On one pfsense machine we installed the openvpn server software and on the other PFsense machine the openvpn client software. The openvpn connection between the two pfsense machines are working (ping goes both ways) fine

    Now comes the problem: We want our home user to make connection to Loc1 (that’s working) and through Loc1 to Loc2 to that subnet (192.168.10.0/24). I can ping with loc3 the openvpn ipadres of loc1 and loc2. But not the ip of the subnet behind loc2. If i do a traceroute from Loc3 to 192.168.10.254 the route goes through 192.168.12.1 and stops (time outs)

    So the question is how (and is it possible) can i resolve this?

    Loc1: openvpn server (192.168.12.1  192.168.254.0/24)
    protocol                       tcp
    locale port                     1194
    adresspool                     192.168.12.0/24
    local network                 192.168.254.0/24
    remote network              nothing
    Client-to-client               set/yes
    Custom options               duplicate-cn;user root;group wheel;management 127.0.0.1 21194;push "route 192.168.10.0 255.255.255.0";

    Loc2: Openvpn client (192.168.12.6  other subnet  192.168.10.0/24)
    Server address our public ip
    Server port 1194
    Interface IP 192.168.12.6/24
    Custom options none

    Loc3: Openvpn (home user 192.168.12.10) client
    Remote our public ip
    Port 1194
    proto tcp
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-client


  • Rebel Alliance Developer Netgate

    Are you using shared key or PKI?



  • I use PKI


  • Rebel Alliance Developer Netgate

    Then you don't need to do a push route, but a "route" line (just remove the word "push") and then you need to add an entry on the client-specific-config tab that matches the the name of the loc2 certificate, and put "iroute 192.168.10.0 255.255.255.0;" in the custom options box there.

    That will tell openvpn to (1) know that it needs to route traffic for 192.168.10.x, and (2) add an internal route for that subnet to the client connecting with loc2's certificate.



  • That doesn't work. But if i set "Redirect Gateway" on by  Client-specific configuration. it works.  But that is not what i want…Beside that i can't open any websites if i turn Redirect Gateway on. I can only access the internal subnets


  • Rebel Alliance Developer Netgate

    You can try adding a push entry again for that subnet, or adding a route statement for the subnet to the loc3 client config.



  • @jimp:

    You can try adding a push entry again for that subnet, or adding a route statement for the subnet to the loc3 client config.

    Yes it works!!!!! thanks Ive add a route to the loc3 client config


Log in to reply