OpenVPN Routing to other sites - Solved

  • Hello,

    I have inherited a network that looks like the picture below.

    Historically all computers on all sites can access each other, however users connecting to the VPN can only access the computers on site 1.

    I'd like to be able to give the VPN users access to all computers on all sites.

    On Site 1, I've added the following to the VPN Connection for the VPN Clients:

    push "route"; push "route";

    On Sites 2 and 3, I've added the following to their VPN connection for Site 1.


    When connected to the VPN I can now connect to the routers on each site, however I still cannot connect to the computers on Sites 2 and 3.

    When connected to the VPN, I get the following results:


    Tracing route to over a maximum of 30 hops

    1    36 ms    34 ms    33 ms     <= pfSense router at Site 1
     2   109 ms   112 ms    95 ms <= pfSense router at Site 3

    Trace complete.


    Tracing route to [] over a maximum of 30 hops:

    1    34 ms    33 ms    34 ms     <= pfSense router at Site 1
     2    84 ms    78 ms    74 ms <= pfSense router at Site 3
     3     *        *        *     Request timed out.
     4     *        *        *     Request timed out.

    Have you any suggestions as to where I have gone wrong?

  • It looks pretty good, everything should know routes to everywhere else. As long as the clients themselves are using these pfSense boxes as their default gateway - hopefully the box at has its default gateway, so it can reply successfully. Otherwise it would need specific routes in its routing table to tell it how to get to and (maybe the first 2 of these are already in the client at And that they are willing to respond to an ICMP echo request from (maybe they have some firewall themselves that is only responding to the various 172 addresses?)
    By the traceroutes shown, you must have already had firewall rules on OpenVPN that allow the traffic from to the other parts of the network.

  • Thanks for the reply.

    The windows firewall was disabled on the server.

    I've tried it in reverse, and that worked.

    Tracing route to W7WS []
    over a maximum of 30 hops:
      1    <1 ms    <1 ms    <1 ms
      2    41 ms    41 ms    40 ms
      3    77 ms    76 ms    76 ms  W7WS []
    Trace complete.

    I then tried accessing a non Windows Server and that worked too.

    After a bit more hunting round (as I said it's a network that I've inherited very recently) there was a firewall enabled on windows servers at the remote sites by the Endpoint Security with trusted networks that didn't include the VPN Network.