OpenVPN - Two LANs, access both with a single VPN connection

henryb

Hi,
I have been using guides for setting up OpenVPN, and it works very well, for an single LAN that is.

At the moment I have to separate LANs (using LAN og OPT1 port), 10.1.1.0/24 and 10.10.1.0/24
Rules are set up so they can communicate transparently (e.g access printers and RDP servers)

In the OpenVPN Tunnel Settings, I can specify e.g. "Local Network" as 10.1.1.0/24, and the user/OpenVPNclient can access that network. However, he would like to access both LANs.
If I specify 10.10.1.0/24, he can only access computers in that other LAN.

Is there an easy way to make a rule or route, that gives him access to both networks?
I have tried, with no luck so far.

I am aware I can create two OpenVPN settings documents, and give user to separate logins/certificates, but I'm trying to make it less complicated on behalf of users.

Any good solutions will be appreciated  :)

phil.davis

In the OpenVPN Tunnel Settings, I can specify e.g. "Local Network" as 10.1.1.0/24, and the user/OpenVPNclient can access that network. However, he would like to access both LANs.
If I specify 10.10.1.0/24, he can only access computers in that other LAN.

From pfSense 2.1 onwards, on the OpenVPN server settings it says:

IPv4 Local Network/s - These are the IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.

Do that - put in:

10.1.1.0/24,10.10.1.0/24

On Firewall->Rules, OpenVPN make sure your rule/s allow traffic to both those subnets (sounds like OpenVPN rules are already good).

henryb

Do that - put in:

10.1.1.0/24,10.10.1.0/24

Thanks Phil, this is great news  :)

In fact I've already tried that on aforementioned pfSense-box, and this is what I got:
• The field 'Local network' must contain a valid CIDR range."

Reading your reply once more, and I realized you wrote "from pfSense 2.1", while I'm running v 2.01.

Then of course tried to upgrade immediately,

Auto Update Download Status
–--------------------------------------------------
  Current Version : 2.0.1-RELEASE
  Latest Version  : 2.1-RELEASE
  File size      : 79564762
  Downloaded      : 7232338

The image file is corrupt.
Update cannot continue

This seems to be a pretty common issue, and browsing the log showed this:

• filesystem full
• php: /system_firmware_auto.php: The command '/usr/bin/gzip -t '/root/latest.tgz'' returned exit code '1', the output was 'gzip: data stream error gzip: /root/latest.tgz: uncompress failed'

So I'll swap in a larger CF-card, and try upgrading during this week.
I will report back, if I succeed using your recommendations.

Appreciate your help :)

phil.davis

On 2.0.n you can put statements in the Advanced box of the OpenVPN server settings to tell the client about routes to more local networks:

push "route 10.10.1.0 255.255.255.0"

and just put a single CIDR in the Local Network box:

10.1.1.0/24

so you will be able to achieve it without going to pfSense 2.1 if you want to get it going quickly.

PS: You must have a small CF card, or lots of packages and random stuff on it.

KOM

Thanks, Phil.  I had a working config and then added a DMZ and was surprised that my VPN users couldn't get to it.  Your reply clued me in that I forgot to update the IP4 Local Networks to add the DMZ subnet.