Help needed with road-warrior server/client routing on a new install



  • Hi,

    I am hoping to get some help with setting up a road-warrior server/client connection.  I am using a fresh install of pfSense 2.0.2-RELEASE (x86).

    If you view my attached network layout, what I am trying to do is run a stand-alone pfsense machine to act as a point of vpn connection to our LAN.  We want to get a lot of testing in with VPN before we commit to using pfsense as our main gateway to the internet (and better hardware).

    So, I have the server configured as:

    TUN Device Mode, UDP

    I am able to connect with a Win7x64 client, get a 10.0.8.6 address, and I can retain connection to the management interface.  Once connected, I no longer have access to the outside internet, and I am not able to access other servers on the LAN.

    I believe my problem is with routing, which is why none of the guides I've followed mention this part of the setup.

    I'm very new to this, so I need some help with setting up the routing so that a connecting client can communicate as if it were on the local LAN in the office.

    Is someone kind enough to help me through this?  I believe I need to set up the Advanced OpenVPN server configuration, as well as some options to export to the client with respect to the gateway, but that is where I have hit a brick wall.

    Also, I do not have a problem routing all traffic from the client through the VPN, as I'm not sure what sort of access I have to the main gateway as far as routes are concerned.  The main gateway is an antiquated fortigate VPN machine that has proven reliable as a gateway.  (We are trying to replace its vpn with OpenVPN).

    Thanks,

    -Evan
    ![ARM LAN Lucidchart - Google Chrome_2013-02-27_16-35-08.png](/public/imported_attachments/1/ARM LAN Lucidchart - Google Chrome_2013-02-27_16-35-08.png)
    ![ARM LAN Lucidchart - Google Chrome_2013-02-27_16-35-08.png_thumb](/public/imported_attachments/1/ARM LAN Lucidchart - Google Chrome_2013-02-27_16-35-08.png_thumb)



  • The LAN servers have to know a route to 10.0.8.0/24 somehow. Their default route will be 192.168.1.1 (the older router), so they will be trying to reply to you through that. Either:
    a) Add a static route on the old router, sending 10.0.8.0/24 to the pfSense; or
    b) Add a static route on every LAN server, sending 10.0.8.0/24 to the pfSense.



  • Alright, it is starting to make sense now.  I forced an IP/DNS/Gateway on another machine, then used the VPN to log in on my other box and I was able to communicate between the two machines.

    I'll get on that fortinet and see what I can do about routes, otherwise we may just make the switch to full on pfSense.  It is very nice.



  • This worked like a charm, Thanks!  It makes a lot more sense now.

    Have a good one.


Log in to reply