Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN Road warriors sending traffic to remote side of site to site VPN

    OpenVPN
    4
    7
    2989
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      ZackSmith last edited by

      Is this possible to do?

      We have two sites joined by ipsec vpn
      We have some road warriors connecting with OpenVPN client into one of the Pfsense boxes.

      Is it possible for the road warriors to see both sides of the tunnel?

      Thanks

      Zack

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Sure, as long as you push the right routes to the clients for both sites, and also ensure the site that they don't connect to directly has a route back to the main site for the remote access client subnet.

        1 Reply Last reply Reply Quote 0
        • Z
          ZackSmith last edited by

          Ok, we have pushed the correct routes and added static route back from the remote side, however it doesnt respond.

          Site A internal 10.1.0.x –-ipsec vpn ----- Site B internal 10.0.22.x

          Road Warrior connects to site A, with Openvpn config IP pool of 10.10.0.0/24.

          This allows connection to 10.1.0.x network but not the 10.0.22.x side.

          We have added the static route to site b as 10.10.0.0/24 10.1.0.254

          looking at the pfsense book chapter 15.10.1 we have added the routes as: push "route 10.0.22.0 255.255.0";

          Thanks

          Zack

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Sorry I missed the IPsec bit first. You'd have to add the OpenVPN client subnet as an additional subnet in the IPsec config (or expand the subnet definition to include it) on both sides.

            If it's pfSense at both sites you'd be better off making a shared key site-to-site tunnel instead of IPsec. Routing is much easier that way.

            1 Reply Last reply Reply Quote 0
            • Z
              ZackSmith last edited by

              Thanks for the quick reply!

              Weve tried parralel vpns as we are running 1.2.3 but this hasnt worked. Next step is either upgrading to 2.0, or as you say making a shared key site to site, however both are risk in the production network..

              thanks

              Zack

              1 Reply Last reply Reply Quote 0
              • GruensFroeschli
                GruensFroeschli last edited by

                Do it over the weekend.
                You can move from IPSEC very easily to OpenVPN.
                Leave the IPSEC active and configure the OpenVPN link.
                IPSEC will take precedence over OpenVPN, so even if you have both links active the IPSEC one will be used.
                When you think you have everything with OpenVPN right, you can just disable the IPSEC link and everything should switch over.
                If there are problems with the OpenVPN link you can just reenable the IPSEC link and go back to your working setup.

                1 Reply Last reply Reply Quote 0
                • H
                  HillBoy last edited by

                  @jimp:

                  Sorry I missed the IPsec bit first. You'd have to add the OpenVPN client subnet as an additional subnet in the IPsec config (or expand the subnet definition to include it) on both sides.

                  If it's pfSense at both sites you'd be better off making a shared key site-to-site tunnel instead of IPsec. Routing is much easier that way.

                  I never could get this to work so my setup is exactly like this one. The site-to-site tunnel never connected with OpenVPN, never opened a route to the remote site and no traffic moved site-to-site. My current setup uses an IPSec tunnel for site-to-site while my users use OpenVPN clients to connect to the internal network. As a workaround, I have OpenVPN servers in both locations and a user picks which site they wish to connect. I posted my problem here quite a while ago and never got an answer so I gave up and decided to wait for version 2. I will try adding the OpenVPN subnet to my IPSec config as you have suggested.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy