VPN from PfSense to Windows 2008 OpenVPN.net client - routing traffic both ways
-
Hi All,
I am trying to allow 2 Windows 2008 R2 Domain Controllers to communicate and replicate over a VPN connection. One is behind a PFSense router, but the other is only behind a basic router and I can only get limited one way communication.
I am hoping this is possible, although I haven't had a lot of success yet.
|–------------------------Site A----------------------------|.......................................................|-----------------------Site B----------------|
|--------------------LAN A (192.168.0.0/24)-------------------| <-----> Tunnel Network (192.168.100.0/24) <-----> |--------------LAN B (192.168.1.0/24)----------|
Windows Server A (192.168.0.10) <-> PFSense Router(192.168.0.1).......................................................Windows Server B (192.168.1.10) with OVPN clientHopefully the formatting on my ASCII art diagram works
I have successfully created a tunnel from the PFSense at 192.168.0.1 to Windows Server B using the OpenVPN.net client.
What I can do:
-
Ping Server A from Server B
-
Ping Server B (On its tunnel address (192.168.100.5)) from Server B
What I would like to do:
- Ping Server B (On its LAN address (192.168.1.10)) from Server A
This is stopping the communication as Server A is expecting Server B on 192.168.1.10 not 192.168.100.5. I have tried cheating by putting a host record on Server A and that allows some communication, but no replication.
The PFSense OpenVPN: Server is setup as follows:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194I'll skip the SSL/TLS bit, as I assume this is not the issue.
Tunnel Network: 192.168.100.0/24
Redirect Gateway: Unchecked
Local Network: 192.168.0.0/24
Remote Network: 192.168.1.0/24
Concurrent connections: 10
Compression: Checked
Type-of-Service: Checked
Duplicate Connections: UncheckedThe OpenVPN.net client config is:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote Pfsense-Router-IP 1194 udp
tls-remote server-cert-name
pkcs12 client.p12
tls-auth server.key
comp-lzo
passtosDoes anyone have any ideas how I can get the two servers to replicate active directory properly?
Many thanks,
John
-
-
Does server B end up with a route back to LAN A 192.168.0.0/24? ( "route print" in Windows, I think)
You could also run pfSense in a VM on server B, as a "one-armed router" with an IP like 192.168.1.11 providing the OpenVPN site-to-site link to LAN A. Then you can add a static route on server B, telling it that LAN A 192.168.0.0/24 is reached via 192.168.1.11 (or a route on your LAN B basic router). That would removing any messing about with how Windows Server copes with being an OpenVPN client.
Or even better, replace LAN B basic router with pfSense :)