OpenVPN - Two LANs, access both with a single VPN connection



  • Hi,
    I have been using guides for setting up OpenVPN, and it works very well, for an single LAN that is.

    At the moment I have to separate LANs (using LAN og OPT1 port), 10.1.1.0/24 and 10.10.1.0/24
    Rules are set up so they can communicate transparently (e.g access printers and RDP servers)

    In the OpenVPN Tunnel Settings, I can specify e.g. "Local Network" as 10.1.1.0/24, and the user/OpenVPNclient can access that network. However, he would like to access both LANs.
    If I specify 10.10.1.0/24, he can only access computers in that other LAN.

    Is there an easy way to make a rule or route, that gives him access to both networks?
    I have tried, with no luck so far.

    I am aware I can create two OpenVPN settings documents, and give user to separate logins/certificates, but I'm trying to make it less complicated on behalf of users.

    Any good solutions will be appreciated  :)



  • In the OpenVPN Tunnel Settings, I can specify e.g. "Local Network" as 10.1.1.0/24, and the user/OpenVPNclient can access that network. However, he would like to access both LANs.
    If I specify 10.10.1.0/24, he can only access computers in that other LAN.

    From pfSense 2.1 onwards, on the OpenVPN server settings it says:

    IPv4 Local Network/s - These are the IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.

    Do that - put in:

    10.1.1.0/24,10.10.1.0/24
    

    On Firewall->Rules, OpenVPN make sure your rule/s allow traffic to both those subnets (sounds like OpenVPN rules are already good).



  • Do that - put in:

    10.1.1.0/24,10.10.1.0/24
    

    Thanks Phil, this is great news  :)

    In fact I've already tried that on aforementioned pfSense-box, and this is what I got:
    • The field 'Local network' must contain a valid CIDR range."

    Reading your reply once more, and I realized you wrote "from pfSense 2.1", while I'm running v 2.01.

    Then of course tried to upgrade immediately,

    Auto Update Download Status
    –--------------------------------------------------
      Current Version : 2.0.1-RELEASE
      Latest Version  : 2.1-RELEASE
      File size      : 79564762
      Downloaded      : 7232338

    The image file is corrupt.
    Update cannot continue

    This seems to be a pretty common issue, and browsing the log showed this:

    • filesystem full
    • php: /system_firmware_auto.php: The command '/usr/bin/gzip -t '/root/latest.tgz'' returned exit code '1', the output was 'gzip: data stream error gzip: /root/latest.tgz: uncompress failed'

    So I'll swap in a larger CF-card, and try upgrading during this week.
    I will report back, if I succeed using your recommendations.

    Appreciate your help :)



  • On 2.0.n you can put statements in the Advanced box of the OpenVPN server settings to tell the client about routes to more local networks:

    push "route 10.10.1.0 255.255.255.0"
    

    and just put a single CIDR in the Local Network box:

    10.1.1.0/24
    

    so you will be able to achieve it without going to pfSense 2.1 if you want to get it going quickly.

    PS: You must have a small CF card, or lots of packages and random stuff on it.



  • Thanks, Phil.  I had a working config and then added a DMZ and was surprised that my VPN users couldn't get to it.  Your reply clued me in that I forgot to update the IP4 Local Networks to add the DMZ subnet.