OpenVPN client can't reach one of my internal routes



  • Hi everybody, I've configured OpenVPN Remote Access server and OpenVPN client 2.3.3 connected successfully.

    On pfSense box, I have 3 routes:

    10.2.0.0/20 - connected network
    10.10.0.0./22 - gw 10.2.0.252
    10.1.0.0/20 - gw 10.2.0.254
    

    OpenVPN server was checked "Force all client generated traffic through the tunnel. "
    and Provided DNS servers to clients:

    10.2.0.200
    10.1.0.200
    

    Problem is all OpenVPN clients can reach computers on 10.2.0.0/20 and 10.10.0.0/22 networks, but 10.1.0.0/20.

    Did I miss something? It's great if you guys could help me figure out. And please tell me what info to provide in details.

    Thanks.



  • In the OpenVPN Remote Access server Local Network/s list all 3 subnets, separated by commas. Then the server will push routes for all those to the clients.
    On the other routers at 10.2.0.252 and 10.2.0.254 you might have to tell them a route back to the OpenVPN tunnel network (if they do not already have pfSense LAN IP as default gateway).
    Thenh add rules on pfSense LAN to allow traffic from those extra 2 subnets to OpenVPN Tunnel subnet, and on OpenVPN rules tab, to allow from OpenVPN tunnel subnet to those extra subnets.



  • @phil.davis:

    In the OpenVPN Remote Access server Local Network/s list all 3 subnets, separated by commas. Then the server will push routes for all those to the clients.
    On the other routers at 10.2.0.252 and 10.2.0.254 you might have to tell them a route back to the OpenVPN tunnel network (if they do not already have pfSense LAN IP as default gateway).
    Thenh add rules on pfSense LAN to allow traffic from those extra 2 subnets to OpenVPN Tunnel subnet, and on OpenVPN rules tab, to allow from OpenVPN tunnel subnet to those extra subnets.

    Okay, right here I've got: all IPv4 Networks, checked.
    Added rules on pfSense LAN and OpenVPN: move mentioned rules on TOP (instead of bottom like before), otherwise it all has any to any rules.
    Disable then Enable OpenVPN server, check.

    Edit: False alarm, I'm still trying to route back from gw 10.2.0.254 to OpenVPN subnet. Problem is I don't have privilege access on it. Is any way to get around? Thanks.



  • If gw 10.2.0.254 does not know how to route back to the OpenVPN tunnel, then you could NAT your traffic out of the OpenVPN tunnel:
    Firewall->NAT, Outbound. Switch to manual.
    Add a rule on LAN (which is where the traffic from the OpenVPN tunnel leaves pfSense to go towards gw 10.2.0.254). Source tunnel subnet, destination 10.1.0.0/20 NAT address Interface address (i.e. pfSense LAN IP).

    Then the traffic from the OpenVPN clients will appear to come from pfSense LAN IP, and gw 10.2.0.254 will be able to route back to that.



  • Thanks phil.davis, I added a rule on NAT and it works well.



  • I had a similar problem, and adding an NAT rule solved it too.