Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client can't reach one of my internal routes

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      A999
      last edited by

      Hi everybody, I've configured OpenVPN Remote Access server and OpenVPN client 2.3.3 connected successfully.

      On pfSense box, I have 3 routes:

      10.2.0.0/20 - connected network
      10.10.0.0./22 - gw 10.2.0.252
      10.1.0.0/20 - gw 10.2.0.254
      

      OpenVPN server was checked "Force all client generated traffic through the tunnel. "
      and Provided DNS servers to clients:

      10.2.0.200
      10.1.0.200
      

      Problem is all OpenVPN clients can reach computers on 10.2.0.0/20 and 10.10.0.0/22 networks, but 10.1.0.0/20.

      Did I miss something? It's great if you guys could help me figure out. And please tell me what info to provide in details.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        In the OpenVPN Remote Access server Local Network/s list all 3 subnets, separated by commas. Then the server will push routes for all those to the clients.
        On the other routers at 10.2.0.252 and 10.2.0.254 you might have to tell them a route back to the OpenVPN tunnel network (if they do not already have pfSense LAN IP as default gateway).
        Thenh add rules on pfSense LAN to allow traffic from those extra 2 subnets to OpenVPN Tunnel subnet, and on OpenVPN rules tab, to allow from OpenVPN tunnel subnet to those extra subnets.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • A
          A999
          last edited by

          @phil.davis:

          In the OpenVPN Remote Access server Local Network/s list all 3 subnets, separated by commas. Then the server will push routes for all those to the clients.
          On the other routers at 10.2.0.252 and 10.2.0.254 you might have to tell them a route back to the OpenVPN tunnel network (if they do not already have pfSense LAN IP as default gateway).
          Thenh add rules on pfSense LAN to allow traffic from those extra 2 subnets to OpenVPN Tunnel subnet, and on OpenVPN rules tab, to allow from OpenVPN tunnel subnet to those extra subnets.

          Okay, right here I've got: all IPv4 Networks, checked.
          Added rules on pfSense LAN and OpenVPN: move mentioned rules on TOP (instead of bottom like before), otherwise it all has any to any rules.
          Disable then Enable OpenVPN server, check.

          Edit: False alarm, I'm still trying to route back from gw 10.2.0.254 to OpenVPN subnet. Problem is I don't have privilege access on it. Is any way to get around? Thanks.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            If gw 10.2.0.254 does not know how to route back to the OpenVPN tunnel, then you could NAT your traffic out of the OpenVPN tunnel:
            Firewall->NAT, Outbound. Switch to manual.
            Add a rule on LAN (which is where the traffic from the OpenVPN tunnel leaves pfSense to go towards gw 10.2.0.254). Source tunnel subnet, destination 10.1.0.0/20 NAT address Interface address (i.e. pfSense LAN IP).

            Then the traffic from the OpenVPN clients will appear to come from pfSense LAN IP, and gw 10.2.0.254 will be able to route back to that.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • A
              A999
              last edited by

              Thanks phil.davis, I added a rule on NAT and it works well.

              1 Reply Last reply Reply Quote 0
              • T
                tabs
                last edited by

                I had a similar problem, and adding an NAT rule solved it too.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.