[SOLVED] Roadwarrior routing on openvpn Net to Net
-
Greetings,
I need your help with my configuration:+–––––––––––––––+ | Client | LAN-1 SiteA SiteB | 192.168.90.6 | 192.168.90.0/24 +––––––––––––––+ +–––––––––––––––+ +–––––––––––––––+–––––––––––––––––––+ | Net to Net | | +––––––––––––––––+ |openvpn server| |openvpn client | LAN | Client | | +––––––––––––––––––––+ +–––––––––––––––––––+ 192.168.100.50 | +–––––––––––––––+–––––––––––––––––––+ | 10.0.100.0/24 | | 192.168.100.0/24 +––––––––––––––––+ | Client | 192.168.101.0/24 +––––––+–––––––+ +–––––––+–––––––+ |192.168.101.10 | LAN-2 | +–––––––––––––––+ | | 10.0.101.0/24 | | +–+–+ | | +–+–+ RW-B
On one pfSense box I have the following OpenVPN configurations:
As a server for Road Warriors on SiteB
Server Mode: Remote Access (SSL/TLS+user auth)
Address pool: 10.0.101.0/24
Local network: 192.168.100.0/24
Inter-client communication: yes
Cryptography: BF-CBC (128-bit)
LZO compression: yes
Advanced config: push "route 192.168.90.0 255.255.255.0";As a server for Net-To-Net OpenVPN on SiteA
Server Mode: Peer to Peer (SSL/TLS)
Address pool: 10.0.100.0/24
Local network: 192.168.90.0/24
Remote network: 192.168.100.0/24
Cryptography: BF-CBC (128-bit)
LZO compression: yes
Advanced config: push "route 192.168.101.0 255.255.255.0";route 10.0.101.0 255.255.255.0;My routing issue is:
From SiteA I can reach hosts on SiteB and vice versa on Net to Net Openvpn.
From Road Warrior SiteB I can reach hosts on SiteB.
I want to be able to reach hosts and lan client in SiteA from Road Warrior SiteB.
I want to acces from 10.0.101.0/24 to 192.168.90.0/24 and 192.168.101.0/24please help and enlightenment…...
-
Road Warrior SiteB - put both the SiteB and SiteA LANs in the Local Networks box: 192.168.100.0/24,192.168.90.0
and remove the push "route…" - that is effectively done nowadays by listing all the subnets in Local Networks.
Now the road warrior clients know the way to both SiteB and SiteA.Similar on site-to-site link, put both SiteB LAN and road warrior nets in Remote Networks box (and Local networks box at Site B). And then you can remove any special push route statements.
Make sure Firewall Rules on each LAN and OpenVPN allow traffic from/to the relevant subnets.
-
Dear Mr Phil…......
Thanks for your response
I think, I've changed the configuration according to your suggestions. But I still unable to access 192.168.90.0/24 and 192.168.101.0/24 from RoadWarrior in SiteB
Then I tried to make a RoadWarrior configuration in SiteA, and succeeded in accessing 192.168.100.0/24 in SiteB from RoadWarrior in SiteA.
I think maybe there is something wrong about the routing from RoadWarrior in SiteB to 10.0.100.2, but I do not know where the mistake. Please to be directed to the right path.
Here is an attachment from my configuration, and apologize if my English is bad.Diagram
+–––––––––––––––+ | Client | LAN-1 SiteA SiteB | 192.168.90.6 | 192.168.90.0/24 +––––––––––––––+ +–––––––––––––––+ +–––––––––––––––+–––––––––––––––––––+ | Net to Net | | +––––––––––––––––+ |openvpn server| |openvpn client | LAN | Client | | +––––––––––––––––––––+ +–––––––––––––––––––+ 192.168.100.50 | +–––––––––––––––+–––––––––––––––––––+ | 10.0.100.0/24 | | 192.168.100.0/24 +––––––––––––––––+ | Client | 192.168.101.0/24 +––––––+–––––––+ +–––––––+–––––––+ |192.168.101.10 | LAN-2 | | +–––––––––––––––+ | | | | 10.146.99.0/24 | | 10.0.101.0/24 | | +–+–+ +–+–+ | | | | +–+–+ +–+–+ RW-A RW-B
RW on SiteA
dev ovpns2 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 192.168.1.3 tls-server server 10.146.99.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server2.php via-env tls-verify /var/etc/openvpn/server2.tls-verify.php lport 1194 management /var/etc/openvpn/server2.sock unix push "route 192.168.90.0 255.255.255.0" push "route 192.168.101.0 255.255.255.0" push "route 192.168.100.0 255.255.255.0" client-to-client ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo persist-remote-ip float
Net2Net server on siteA
dev ovpns3 dev-type tun tun-ipv6 dev-node /dev/tun3 writepid /var/run/openvpn_server3.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.1.3 tls-server server 10.0.100.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc ifconfig 10.0.100.1 10.0.100.2 tls-verify /var/etc/openvpn/server3.tls-verify.php lport 1306 management /var/etc/openvpn/server3.sock unix push "route 192.168.90.0 255.255.255.0" push "route 192.168.101.0 255.255.255.0" route 192.168.100.0 255.255.255.0 route 10.0.101.0 255.255.255.0 ca /var/etc/openvpn/server3.ca cert /var/etc/openvpn/server3.cert key /var/etc/openvpn/server3.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server3.tls-auth 0 comp-lzo
CSC on SiteA
ifconfig-push 10.0.100.2 10.0.100.1 iroute 192.168.100.0 255.255.255.0
RW on SiteB
dev ovpns2 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 192.168.1.3 tls-server server 10.0.101.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server2.php via-env tls-verify /var/etc/openvpn/server2.tls-verify.php lport 1194 management /var/etc/openvpn/server2.sock unix push "route 192.168.100.0 255.255.255.0" push "route 192.168.90.0 255.255.255.0" push "route 192.168.101.0 255.255.255.0" client-to-client ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo persist-remote-ip float
Net2Net client on SiteB
dev ovpnc1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.1.3 tls-client client lport 1306 management /var/etc/openvpn/client1.sock unix remote bprop1.jumpingcrab.com 1306 ifconfig 10.0.100.2 10.0.100.1 route 192.168.90.0 255.255.255.0 route 192.168.101.0 255.255.255.0 route 10.146.99.0 255.255.255.0 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 comp-lzo resolv-retry infinite
SiteA route
Destination Gateway Flags Refs Use Mtu Netif Expire default 192.168.1.1 UGS 0 1749 1500 re0 8.8.4.4 192.168.1.1 UGHS 0 209 1500 re0 8.8.8.8 192.168.1.1 UGHS 0 4673 1500 re0 10.0.100.0/24 10.0.100.2 UGS 0 0 1500 ovpns3 10.0.100.1 link#10 UHS 0 0 16384 lo0 10.0.100.2 link#10 UH 0 0 1500 ovpns3 10.0.101.0/24 10.0.100.2 UGS 0 0 1500 ovpns3 10.146.99.0/24 10.146.99.2 UGS 0 0 1500 ovpns2 10.146.99.1 link#9 UHS 0 0 16384 lo0 10.146.99.2 link#9 UH 0 0 1500 ovpns2 10.233.245.1 link#11 UH 0 0 1500 ovpnc1 10.233.245.2 link#11 UHS 0 0 16384 lo0 127.0.0.1 link#7 UH 0 512 16384 lo0 192.168.1.0/24 link#3 U 0 0 1500 re0 192.168.1.3 link#3 UHS 0 0 16384 lo0 192.168.70.0/24 10.233.245.1 UGS 0 0 1500 ovpnc1 192.168.90.0/24 link#1 U 0 3196 1500 vr0 192.168.90.254 link#1 UHS 0 0 16384 lo0 192.168.100.0/24 10.0.100.2 UGS 0 320 1500 ovpns3 192.168.101.0/24 link#2 U 0 0 1500 vr1 192.168.101.1 link#2 UHS 0 0 16384 lo0
SiteB route
Destination Gateway Flags Refs Use Mtu Netif Expire default 192.168.1.1 UGS 0 1922 1500 re0 8.8.8.8 192.168.1.1 UGHS 0 4754 1500 re0 10.0.100.1 link#9 UH 0 0 1500 ovpnc1 => 10.0.100.1/32 10.0.100.1 UGS 0 0 1500 ovpnc1 10.0.100.2 link#9 UHS 0 0 16384 lo0 10.0.101.0/24 10.0.101.2 UGS 0 0 1500 ovpns2 10.0.101.1 link#8 UHS 0 0 16384 lo0 10.0.101.2 link#8 UH 0 0 1500 ovpns2 10.146.99.0/24 10.0.100.1 UGS 0 0 1500 ovpnc1 127.0.0.1 link#6 UH 0 530 16384 lo0 192.168.1.0/24 link#2 U 0 0 1500 re0 192.168.1.3 link#2 UHS 0 0 16384 lo0 192.168.90.0/24 10.0.100.1 UGS 0 530 1500 ovpnc1 192.168.100.0/24 link#1 U 0 0 1500 vr0 192.168.100.254 link#1 UHS 0 0 16384 lo0 192.168.101.0/24 10.0.100.1 UGS 0 0 1500 ovpnc1
Rules on SiteA
http://imgbox.com/zjAJFEmH
http://imgbox.com/3syPWVP9
http://imgbox.com/y85EzBXK
http://imgbox.com/gOJ7UWcLRule on siteB
http://imgbox.com/IqZ2DQzp
http://imgbox.com/Y7ZEMVB9
http://imgbox.com/RkRiNJK8Thank you for your attention
-
Dear all,
Everybody…...... , is there a hint?
-
I believe you need an:
"iroute 10.0.101.0 255.255.255.0"
added to the SiteA CSC to tell the site-site which connection to use for the supplied 10.0.101.0 route statement.
You'll need to restart SiteA's OVPN server and probably need to force SiteB to reconnect.
This is all doable, I have a number of setups similar to your diagram that work very well.
Let us know if it works.
-
Dear divsys…..
Thank you Bro...., now I can finally, although I so look stupid.
Just want to ask again, for clarity, on IROUTE vs. ROUTE in openvpn??
-
haven't needed the iroute yet, but nevertheless interesting…
http://community.openvpn.net/openvpn/wiki/RoutedLans -
Glad it all worked out.
Like many others around here I find the forums to be a wealth of excellent information for pfsense.
It may take a little time, but searching and asking polite questions seems to yield great results (at least for me).
Good luck :D