Unable to route VPN Traffic between multiple sites



  • Hello,

    I have the following setup :

    Main Site :  172.20.10.0/24
    Branch1 :    172.21.1.1/24
    Branch2 :    172.16.1.0/24

    The VPN from Main Site to Branch1 and Branch2 works perfectly.
    The problem is that i cannot route traffic between Branch1 to Branch2 via the Main Site.
    This is all done with OpenVPN.

    Any help about that will be great

    Thanks



  • do you have routes on the branch sites that "point" to each other ?



  • I've the same problem as you.. for me the "Main Site" is Site (B).

    see this thread for further information: http://forum.pfsense.org/index.php/topic,69592.0.html



  • From pfSense 2.1 onwards you can type a list of subnets in the local and remote networks fields of the OpenVPN server and client. There is no need for any "route" or "push "route…"" statements to be added to the advanced box. You should just need to put the complete list of remote networks in the remote networks field of the client at each branch site:
    At branch 1, Remote Networks: 172.20.10.0/24,172.16.1.0/24
    At branch 2, Remote Networks: 172.20.10.0/24,172.21.1.0/24

    and make sure your firewall rules on each LAN and OpenVPN allow traffic to/from the various subnets.

    I have a network with 2 main offices and a list of branches just like this - each branch has 2 OpenVPN site-to-site clients, connecting to the main offices. The routing is all achieved by putting lists of subnets in the Remote Networks box. I even leave the Local Networks box empty on the main office server, that is not used to teach the client about the routes. In this site-to-site case it does not seem to be used for anything.

    The vast majority of traffic is between a branch office and a main office. Occasionally a branch office might move a file direct to another branch office, but that is rare, and yes, it does route in and out of the main office.



  • @phil.davis:

    You should just need to put the complete list of remote networks in the remote networks field of the client at each branch site:
    At branch 1, Remote Networks: 172.20.10.0/24,172.16.1.0/24
    At branch 2, Remote Networks: 172.20.10.0/24,172.21.1.0/24

    This one works for me. Thank you very much!



  • The route statements need to be there, so in theory it shouldn't matter whether they're added to the advanced box or generated by the GUI using the new "172.20.10.0/24,172.16.1.0/24" syntax of 2.1.  All the commands get entered into the same config.

    So, if using "172.20.10.0/24,172.16.1.0/24" on the remote networks line works while adding routes to the advanced box doesn't… I'm wondering if that's a bug.

    For the DEVS Does v2.1 and above now prefer multiple subnets be entered on the "IPv4 Remote Network/s" and "IPv4 Local Network/s" line vs. the advanced config box or are we looking at a possible bug?  Please confirm.


Log in to reply