[SOLVED] Roadwarrior routing on openvpn Net to Net



  • Greetings,
    I need your help with my configuration:

    
    +–––––––––––––––+                                                                                                             
    |   Client      |       LAN-1            SiteA                               SiteB                                            
    | 192.168.90.6  | 192.168.90.0/24   +––––––––––––––+                    +–––––––––––––––+                                     
    +–––––––––––––––+–––––––––––––––––––+              |     Net to Net     |               |                   +––––––––––––––––+
                                        |openvpn server|                    |openvpn client |      LAN          |    Client      |
                                        |              +––––––––––––––––––––+               +–––––––––––––––––––+ 192.168.100.50 |
    +–––––––––––––––+–––––––––––––––––––+              |    10.0.100.0/24   |               | 192.168.100.0/24  +––––––––––––––––+
    |   Client      | 192.168.101.0/24  +––––––+–––––––+                    +–––––––+–––––––+                                     
    |192.168.101.10 |      LAN-2                                                    |                                             
    +–––––––––––––––+                                                               |                                             
                                                                                    |                                                                                         
                                                                      10.0.101.0/24 |                             
                                                                                    |                                             
                                                                                  +–+–+                                           
                                                                                  |   |                                           
                                                                                  +–+–+                                                                                     
                                                                                  RW-B                                                                                        
    
    

    On one pfSense box I have the following OpenVPN configurations:

    As a server for Road Warriors on SiteB
    Server Mode: Remote Access (SSL/TLS+user auth)
    Address pool: 10.0.101.0/24
    Local network: 192.168.100.0/24
    Inter-client communication: yes
    Cryptography: BF-CBC (128-bit)
    LZO compression: yes
    Advanced config: push "route 192.168.90.0 255.255.255.0";

    As a server for Net-To-Net OpenVPN on SiteA
    Server Mode: Peer to Peer (SSL/TLS)
    Address pool: 10.0.100.0/24
    Local network: 192.168.90.0/24
    Remote network: 192.168.100.0/24
    Cryptography: BF-CBC (128-bit)
    LZO compression: yes
    Advanced config: push "route 192.168.101.0 255.255.255.0";route 10.0.101.0 255.255.255.0;

    My routing issue is:
    From SiteA  I can reach hosts on SiteB and vice versa on Net to Net Openvpn.
    From Road Warrior SiteB I can reach hosts on SiteB.
    I want to be able to reach hosts and lan client in SiteA  from Road Warrior SiteB.
    I want to acces from 10.0.101.0/24 to 192.168.90.0/24 and 192.168.101.0/24

    please help and enlightenment…...



  • Road Warrior SiteB - put both the SiteB and SiteA LANs in the Local Networks box: 192.168.100.0/24,192.168.90.0
    and remove the push "route…" - that is effectively done nowadays by listing all the subnets in Local Networks.
    Now the road warrior clients know the way to both SiteB and SiteA.

    Similar on site-to-site link, put both SiteB LAN and road warrior nets in Remote Networks box (and Local networks box at Site B). And then you can remove any special push route statements.

    Make sure Firewall Rules on each LAN and OpenVPN allow traffic from/to the relevant subnets.



  • Dear Mr Phil…......
    Thanks for your response
    I think, I've changed the configuration according to your suggestions. But I still unable to access 192.168.90.0/24 and 192.168.101.0/24 from RoadWarrior in SiteB
    Then I tried to make a RoadWarrior configuration in SiteA, and succeeded in accessing 192.168.100.0/24 in SiteB from RoadWarrior in SiteA.
    I think maybe there is something wrong about the routing from RoadWarrior in SiteB to 10.0.100.2, but I do not know where the mistake. Please to be directed to the right path.
    Here is an attachment from my configuration, and apologize if my English is bad.

    Diagram

    
    +–––––––––––––––+                                                                                                             
    |   Client      |       LAN-1            SiteA                               SiteB                                            
    | 192.168.90.6  | 192.168.90.0/24   +––––––––––––––+                    +–––––––––––––––+                                     
    +–––––––––––––––+–––––––––––––––––––+              |     Net to Net     |               |                   +––––––––––––––––+
                                        |openvpn server|                    |openvpn client |      LAN          |    Client      |
                                        |              +––––––––––––––––––––+               +–––––––––––––––––––+ 192.168.100.50 |
    +–––––––––––––––+–––––––––––––––––––+              |    10.0.100.0/24   |               | 192.168.100.0/24  +––––––––––––––––+
    |   Client      | 192.168.101.0/24  +––––––+–––––––+                    +–––––––+–––––––+                                     
    |192.168.101.10 |      LAN-2               |                                    |                                             
    +–––––––––––––––+                          |                                    |                                             
                                               |                                    |                                                                                         
                                10.146.99.0/24 |                                    | 10.0.101.0/24                               
                                               |                                    |                                             
                                             +–+–+                                +–+–+                                           
                                             |   |                                |   |                                           
                                             +–+–+                                +–+–+                                                                                     
                                             RW-A                                 RW-B                                            
    
    

    RW on SiteA

    
    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 192.168.1.3
    tls-server
    server 10.146.99.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server2.php via-env
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    push "route 192.168.90.0 255.255.255.0"
    push "route 192.168.101.0 255.255.255.0"
    push "route 192.168.100.0 255.255.255.0"
    client-to-client
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    
    

    Net2Net server on siteA

    
    dev ovpns3
    dev-type tun
    tun-ipv6
    dev-node /dev/tun3
    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.1.3
    tls-server
    server 10.0.100.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.100.1 10.0.100.2
    tls-verify /var/etc/openvpn/server3.tls-verify.php
    lport 1306
    management /var/etc/openvpn/server3.sock unix
    push "route 192.168.90.0 255.255.255.0"
    push "route 192.168.101.0 255.255.255.0"
    route 192.168.100.0 255.255.255.0
    route 10.0.101.0 255.255.255.0
    ca /var/etc/openvpn/server3.ca 
    cert /var/etc/openvpn/server3.cert 
    key /var/etc/openvpn/server3.key 
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server3.tls-auth 0
    comp-lzo
    
    

    CSC on SiteA

    
    ifconfig-push 10.0.100.2 10.0.100.1
    iroute 192.168.100.0 255.255.255.0
    
    

    RW on SiteB

    
    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 192.168.1.3
    tls-server
    server 10.0.101.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server2.php via-env
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    push "route 192.168.100.0 255.255.255.0"
    push "route 192.168.90.0 255.255.255.0"
    push "route 192.168.101.0 255.255.255.0"
    client-to-client
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    
    

    Net2Net client on SiteB

    
    dev ovpnc1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.1.3
    tls-client
    client
    lport 1306
    management /var/etc/openvpn/client1.sock unix
    remote bprop1.jumpingcrab.com 1306
    ifconfig 10.0.100.2 10.0.100.1
    route 192.168.90.0 255.255.255.0
    route 192.168.101.0 255.255.255.0
    route 10.146.99.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    comp-lzo
    resolv-retry infinite
    
    

    SiteA route

    
    Destination 	Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
    default 	192.168.1.1 	UGS 	0 	1749 	1500 	re0 	 
    8.8.4.4 	192.168.1.1 	UGHS 	0 	209 	1500 	re0 	 
    8.8.8.8 	192.168.1.1 	UGHS 	0 	4673 	1500 	re0 	 
    10.0.100.0/24 	10.0.100.2 	UGS 	0 	0 	1500 	ovpns3 	 
    10.0.100.1 	link#10 	UHS 	0 	0 	16384 	lo0 	 
    10.0.100.2 	link#10 	UH 	0 	0 	1500 	ovpns3 	 
    10.0.101.0/24 	10.0.100.2 	UGS 	0 	0 	1500 	ovpns3 	 
    10.146.99.0/24 	10.146.99.2 	UGS 	0 	0 	1500 	ovpns2 	 
    10.146.99.1 	link#9 	UHS 	0 	0 	16384 	lo0 	 
    10.146.99.2 	link#9 	UH 	0 	0 	1500 	ovpns2 	 
    10.233.245.1 	link#11 	UH 	0 	0 	1500 	ovpnc1 	 
    10.233.245.2 	link#11 	UHS 	0 	0 	16384 	lo0 	 
    127.0.0.1 	link#7 	UH 	0 	512 	16384 	lo0 	 
    192.168.1.0/24 	link#3 	U 	0 	0 	1500 	re0 	 
    192.168.1.3 	link#3 	UHS 	0 	0 	16384 	lo0 	 
    192.168.70.0/24 	10.233.245.1 	UGS 	0 	0 	1500 	ovpnc1 	 
    192.168.90.0/24 	link#1 	U 	0 	3196 	1500 	vr0 	 
    192.168.90.254 	link#1 	UHS 	0 	0 	16384 	lo0 	 
    192.168.100.0/24 	10.0.100.2 	UGS 	0 	320 	1500 	ovpns3 	 
    192.168.101.0/24 	link#2 	U 	0 	0 	1500 	vr1 	 
    192.168.101.1 	link#2 	UHS 	0 	0 	16384 	lo0 	 
    

    SiteB route

    
    Destination 	Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
    default 	192.168.1.1 	UGS 	0 	1922 	1500 	re0 	 
    8.8.8.8 	192.168.1.1 	UGHS 	0 	4754 	1500 	re0 	 
    10.0.100.1 	link#9 	UH 	0 	0 	1500 	ovpnc1 	=>
    10.0.100.1/32 	10.0.100.1 	UGS 	0 	0 	1500 	ovpnc1 	 
    10.0.100.2 	link#9 	UHS 	0 	0 	16384 	lo0 	 
    10.0.101.0/24 	10.0.101.2 	UGS 	0 	0 	1500 	ovpns2 	 
    10.0.101.1 	link#8 	UHS 	0 	0 	16384 	lo0 	 
    10.0.101.2 	link#8 	UH 	0 	0 	1500 	ovpns2 	 
    10.146.99.0/24 	10.0.100.1 	UGS 	0 	0 	1500 	ovpnc1 	 
    127.0.0.1 	link#6 	UH 	0 	530 	16384 	lo0 	 
    192.168.1.0/24 	link#2 	U 	0 	0 	1500 	re0 	 
    192.168.1.3 	link#2 	UHS 	0 	0 	16384 	lo0 	 
    192.168.90.0/24 	10.0.100.1 	UGS 	0 	530 	1500 	ovpnc1 	 
    192.168.100.0/24 	link#1 	U 	0 	0 	1500 	vr0 	 
    192.168.100.254 	link#1 	UHS 	0 	0 	16384 	lo0 	 
    192.168.101.0/24 	10.0.100.1 	UGS 	0 	0 	1500 	ovpnc1 	 
    
    

    Rules on SiteA
    http://imgbox.com/zjAJFEmH
    http://imgbox.com/3syPWVP9
    http://imgbox.com/y85EzBXK
    http://imgbox.com/gOJ7UWcL

    Rule on siteB
    http://imgbox.com/IqZ2DQzp
    http://imgbox.com/Y7ZEMVB9
    http://imgbox.com/RkRiNJK8

    Thank you for your attention



  • Dear all,

    Everybody…...... , is there a hint?



  • I believe you need an:

    "iroute 10.0.101.0 255.255.255.0"

    added to the SiteA CSC to tell the site-site which connection to use for the supplied 10.0.101.0 route statement.

    You'll need to restart SiteA's OVPN server and probably need to force SiteB to reconnect.

    This is all doable, I have a number of setups similar to your diagram that work very well.

    Let us know if it works.



  • Dear divsys…..

    Thank you Bro...., now I can finally, although I so look stupid.

    Just want to ask again, for clarity, on IROUTE vs. ROUTE in openvpn??



  • haven't needed the iroute yet, but nevertheless interesting…
    http://community.openvpn.net/openvpn/wiki/RoutedLans



  • Glad it all worked out.

    Like many others around here I find the forums to be a wealth of excellent information for pfsense.

    It may take a little time, but searching and asking polite questions seems to yield great results (at least for me).

    Good luck  :D