Subnet access over OpenVPN



  • Attached is a diagram showing my current network.
    Client-to-client communication is enabled on the OpenVPN server, and pings go both directions between pfSense (10.8.0.6) and the WWW computer (10.8.0.10) as well as back and forth to the server. Just to be clear, the OpenVPN server is a linux server running Ubuntu.

    What I'd like is for the WWW computer to be able to access, at minimum, file shares on computers or NAS behind pfSense (in the "other computers"). Ideally it'd be able to do anything that one of those could, like print to network printers, etc.

    What do I need to do to get this to work? I know I need to modify the routing tables on one more of the devices, but I'm not sure which ones, or the exact modifications need to be made.

    I'm running pfSense 2.0, if it makes a difference.
    ![Screenshot from 2014-05-14 14:12:00.png](/public/imported_attachments/1/Screenshot from 2014-05-14 14:12:00.png)
    ![Screenshot from 2014-05-14 14:12:00.png_thumb](/public/imported_attachments/1/Screenshot from 2014-05-14 14:12:00.png_thumb)



  • Why won't you run an OpenVPN server at the pfSense machine? So you could configure the route in server settings and you will have access to the network behind by establishing this one connection only.

    However, if you can reach the other VPN client it will also work as you want, but with a manual set route.
    You have to add a route to your www computer for the network 10.14.2.x to go over the pfSenses OVPN client IP (10.8.0.6 in your example).
    But if the client IP changes the route has to be adjusted.



  • The pfSense machine is behind a NAT that I don't control, as well as a dynamic IP, which is why I can't use it as the server.

    The WWW computer is also running Ubuntu, so I've tried adding the route with the following command:

    route add -net 10.14.2.0 netmask 255.255.255.0 gw 10.8.0.6 dev tun0
    

    Which should tell it to use 10.8.0.6 as the gateway for the 10.14.2.0 subnet (over the VPN tunnel interface)
    but I get the error:

    SIOCADDRT: Network is unreachable
    

    which I don't understand, since obviously, it's unreachable without using that gateway, which is why I'm adding it…...



  • SIOCADDRT: Network is unreachable
    

    I assume your VPN server allocates a /30 net to each client. Take a look at ifconfig.

    One solution could be to change the VPN server config to supply one common subnet to all clients.
    The other solution, I think, could work, is to change your route to use your VPN gateway, presumably 10.8.0.9 (ifconfig will tell you). However, you can also use push route on VPN server for this, but only for the www computer, not for pfSsense!
    Additional set up a further route at your VPN server with 10.8.0.6.



  • Don't try to manually add routes for OpenVPN clients or servers like that, put them in its conf file.


Log in to reply