VPN Client access to VPN Tunnel



  • I have a multi-office OpenVPN setup.  The main office is the server and has two VPN connections.  The first is a VPN tunnel to the second location.  The second is for remote clients.  Both seem to work really well.  My problem is accessing data through the tunnel when connecting as a remote client.

    What needs to be done to route traffic from the VPN Client connection to Site A, through the VPN Tunnel, to Site B?

    Here is a sample of how it is configured…

    Site A (Server Side):
    LAN: 192.168.1.0/24

    VPN Clients
    Tunnel Network: 10.0.6.0/24
    Local Network: 192.168.1.0/24

    VPN Tunnel
    Tunnel Network: 10.0.7.0/30
    Local Network: 192.168.1.0/24

    Site B (Client Side):
    LAN: 192.168.2.0/24

    VPN Tunnel: 10.0.7.0/30
    Remote Network: 192.168.1.0/24



  • Tunnel network must be different on each OpenVPN server.
    On the VPN for road-warrior clients, in Local Network put all the networks that are reached through this VPN. In your example, you can use 192.168.0.0/22 to cover both LAN subnets (and a bit more), or put a list (works in 2.1-RELEASE). In my attached screenshot, I have various offices in subnets like 10.49.n.0/24 and some test gear in 10.99.n.0/24 - so in Local Networks I cover it all with 10.49.0.0/16 and 10.99.0.0/16 - then as I add offices in future with subnets inside 10.49.0.0/16 the Road Warriors get routed to them without having to touch the Road Warrior OpenVPN settings.




  • I have the same problem as ajega. Mobile clients can't connect to machines on the client subnet. Connection to machines on the server subnet works.

    I've attached screen shots of the main server setup and the setup for mobile clients

    ![Site to site.jpg_thumb](/public/imported_attachments/1/Site to site.jpg_thumb)
    ![Site to site.jpg](/public/imported_attachments/1/Site to site.jpg)
    ![Mobile setup.jpg_thumb](/public/imported_attachments/1/Mobile setup.jpg_thumb)
    ![Mobile setup.jpg](/public/imported_attachments/1/Mobile setup.jpg)



  • @thetallkid:
    The site-to-site advanced text is not needed - and in any case you do not want to push a route to 10.91.6.0 to the 10.91.6.0 end itself.
    IPv4 Local Network/s - on the site-to-site you only want 10.0.41.0/24 in there. 10.91.6.0/24 is actually at the other end of the site-to-site link, as you correctly specified in the IPv4 Remote Network/s section.
    Assuming you have firewall rules that permit the traffic, it should go.



  • Thanks for the response. I removed the push route of 10.91.6.0.

    Using the ping tool in pfSense, I can ping the openvpn server and machines on the server subnet from the client. However pinging the client from the server side results in 100% packet loss.
    Checked the firewall rules and matching ports are enabled for both server and client on the WAN port. OpenVPN also has a rule to allow traffic.

    The logs at the client side has the following:

    Sep 25 11:07:24 openvpn[30769]: TUN/TAP device ovpnc2 exists previously, keep at program end
    Sep 25 11:07:24 openvpn[30769]: TUN/TAP device /dev/tun2 opened
    Sep 25 11:07:24 openvpn[30769]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Sep 25 11:07:24 openvpn[30769]: /sbin/ifconfig ovpnc2 10.0.44.6 10.0.44.5 mtu 1500 netmask 255.255.255.255 up
    Sep 25 11:07:24 openvpn[30769]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1557 10.0.44.6 10.0.44.5 init
    Sep 25 11:07:24 openvpn[30769]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Sep 25 11:07:24 openvpn[30769]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Sep 25 11:07:24 openvpn[30769]: Initialization Sequence Completed

    Can't figure out what I'm doing wrong.



  • traceroute from a server-side system to a client-side system. You should see the OpenVPN tunnel end in the traceroute. Then I guess it will not respond to the next hop to the client. That will help you see if the packet is being routed OK and accepted at the client-end pfSense.
    Perhaps the client is a system that does not respond to ping - Windows with firewall…?



  • Need to change all those 192.168.1.0 / 24 LAN subnets to something not on 192.168.1.x  and make them all different from each other.

    like site A  192.168.52.0

    site B  192.168.53.0

    site C 192.168.54.0

    Thats to start.

    Then do the same thing with the VPN tunnels - Make each different:

    10.0.6.0  10.0.7.0  10.0.8.0 would be OK

    Then do whatever else phil.davis says.


Log in to reply