From roadwarrios to vpn site to site



  • Hi guys,

    must implement that rule in the firewall to reach the VPN SITE TO SITE Roadwarriors connecting from?

    Thanks

    M.F.



  • Can you try re-wording your question to make it clearer what you're asking please. It would help to know what version of pfSense you're talking about.



  • ok :) I use the pfsense 1.2.3
    i have to connect to roadwarrios on the vpn site to site is it possible ?



  • I don't believe so, but it is simple to create another VPN just for those roadwarriors.



  • I agree with Cry Havok.
    I have not figured out how to do so with PSK, I am working on moving to PKI and if I figure out a way I will let you know.



  • Hi all,

    i have two Openvpn Server

    one is Site to Site Vpn
    two Roadwarriors  Vpn Connection

    I would like to connect to site to site vpn from roadwarriors vpn

    Could you help me ?



  • That's just a routing issue - you have to ensure that all devices (or at least their default gateways, the routers) know how to reach all the IP ranges you're using.

    That's easier if your OpenVPN servers are also the default gateways for their networks. If they aren't then ensure that all the default gateways, on both the local and remote networks, know how to route to your Roadwarrior IP range. You'll also want to ensure that the Roadwarriors have the OpenVPN server pushed as their default gateway or have appropriate static routes pushed.

    For anything more precise you'll need to provide a diagram of your networks, how they are connected and what IP ranges you're using.



  • i have attached the screenshot.

    the my vpn roadwarriors not ping vpn site to site








  • @Cry:

    For anything more precise you'll need to provide a diagram of your networks, how they are connected and what IP ranges you're using.



  • you will also want to remove your actual public IPs/FQDNs from your examples above.



  • On one pfSense box I have the following OpenVPN configurations:

    As a server for Road Warriors
    Dynamic IP: yes
    Address pool: 10.99.254.0/24
    Local network: 192.168.100.0/24
    Client-to-client VPN: yes
    Cryptography: BF-CBC (128-bit)
    Authentication method: PKI
    CA cert
    Server cert
    Server key
    DH parameters
    TLS
    LZO compression: yes

    As server for Site-To-Site OpenVPN
    Address pool: 10.11.12.0/24
    Remote network: 192.168.200.0/24
    Cryptography: BF-CBC (128-bit)
    Authentication method: Shared key
    Shared key cert
    LZO compression: yes

    My routing issue is:
    From Site 1 I can reach hosts on Site 2 and vice versa.
    From Road Warrior I can reach hosts on Site 1.
    I want to be able to reach hosts in Site 2 from Road Warrior.

    Could you help me ?



  • It would be much, much, easier to help you if you'd provide the information we ask for.

    I'm guessing that Site 2 doesn't know how to route to the Road Warrior LAN.



  • Yes :) Roadwarriors don't ping site 2



  • I'll say it slightly differently - have you configured the routers at Site 2 so that they know how to route to the Road Warrior subnet? They'll need a static route for 10.99.254.0/24 with a route through the Site 2 OpenVPN server's LAN IP.



  • I was told this arrangement isn't possible to have OpenVPN clients to one LAN have their traffic pass through another OpenVPN to another LAN… so I just setup more OpenVPN clients and servers.... it would be nice if each site could only need 1 OpenVPN...but I never got that working!



  • That's not actually true.
    I have this exact setup working.

    It's really a matter of setting up static routes on every router involved, so every devices know where to send traffic to.



  • It is perfectly possible - I've done it and I know some folks who have an intra-site VPN that they use daily without problems.

    As GruensFroeschli said, it's just a matter of getting the routes right.



  • I don't follow. The site to site openvpn comes up and the routes are setup. I have a client-to-site VPN on the same pfsense and I ass the correct push route statement to the openvpn configuration.

    Client VPN traffic goes from openvpn to pfsense first hop, but then no further.

    How could I add a route for this?



  • The other side of the site-to-site knows nothing about the roadwarrior subnet.
    –>you need a static route to make the roadwarriors known.


Log in to reply