Clients can access server lan and vice versa - clients can't access client lans



  • I followed a guide a while ago to set up a pfSense openvpn server with two openvpn clients, both also on pfsense routers.
    I think the guide was this one:

    http://forum.pfsense.org/index.php?topic=48667.0

    I can connect to the server lan from either client and, connecting from the server lan works the other way too.
    However, the two client lans are not connected.
    I'm assuming that this is an openvpn routing issue but have no idea how to set it right.

    One client's internal network is 192.168.2.* and the other is 192.168.4.*
    the server's internal network is 192.168.0.*

    Under 'advanced configuration' on the server under the openvpn server tab, I have:

    push "route 192.168.0.0 255.255.255.0";route 192.168.1.0 255.255.255.0;route 192.168.2.0 255.255.255.0;route 192.168.4.0 255.255.255.0;
    

    In 'client specific overrides' on the server, under advanced for each client, there is something like```
    iroute 192.168.2.0 255.255.255.0

    (for the 192.168.2.* client network)
    
    Each pfsense box has an allow all traffic on the openvpn interface rule.
    
    There is nothing in the advanced boxes on the clients themselves.
    
    I would really appreciate it if anyone could point me in the right direction with this.

  • Banned

    push "route 192.168.0.0 255.255.255.0";route 192.168.1.0 255.255.255.0;route 192.168.2.0 255.255.255.0;route 192.168.4.0 255.255.255.0;

    The above is just badly wrong

    
    push "route 192.168.0.0 255.255.255.0"
    push "route 192.168.1.0 255.255.255.0"
    push "route 192.168.2.0 255.255.255.0"
    push "route 192.168.4.0 255.255.255.0"
    
    

  • Rebel Alliance Developer Netgate

    In the advanced options box you need to have a ; between statements (newlines in the box aren't guaranteed to be preserved)

    so it should really be:

    push "route 192.168.0.0 255.255.255.0";
    push "route 192.168.1.0 255.255.255.0";
    push "route 192.168.2.0 255.255.255.0";
    push "route 192.168.4.0 255.255.255.0";
    

    or

    push "route 192.168.0.0 255.255.255.0";push "route 192.168.1.0 255.255.255.0";push "route 192.168.2.0 255.255.255.0";push "route 192.168.4.0 255.255.255.0"
    

    You also need route statements for the network so that the OS on the server side knows it reaches those networks via the VPN also

    So ultimately, you'd end up with:

    push "route 192.168.0.0 255.255.255.0";push "route 192.168.1.0 255.255.255.0";push "route 192.168.2.0 255.255.255.0";push "route 192.168.4.0 255.255.255.0";route 192.168.1.0 255.255.255.0;route 192.168.2.0 255.255.255.0;route 192.168.4.0 255.255.255.0;
    

    The pushes ensure that each of the remote sites receive routes to the other remote sites as well as your server. The plain route statements handle the routing for your server side to reach the remote sites.


Log in to reply