Pfsense as OpenVPN client, routing issue

OpenVPN
Log in to reply
  • J

    Hello,

    I try to connect our branch office to our main office using pfsense as a OpenVPN client on the branch office.

    Setup looks like this:

    Main Office:
    Net: 192.168.1.x
    Default GW: 192.168.1.244
    OpenVPN Server: 192.168.1.6 (Debian 7. PKI/TAP)
    Other Net: 10.1.1.x (routed via .244)

    Branch Office:
    Net: 192.168.2.x
    Ovpn Client IP: 192.168.1.194

    What I want to accomplish:
    The clients on the branch office should reach the Internet using the branch office's WAN and use the OpenVPN for connections to the main office's networks.

    What does work:
    OpenVPN connects successfully, I can ping from branch to 192.168.1.x and from main to 192.168.2.x. Branch clients also use there WAN for Internet access.

    What doesn't work:

    1. Clients from branch can't ping 10.1.1.x (because they/pfsense do not know about the route there).
    2. Branch clients can't access a webserver on 192.168.1.x Net. (Browser keeps loading forever).

    I think the problem is that connections over OVPN don't use 192.168.1.244 as their GW.

    Routing table on pfsense:

    Destination        Gateway            Flags    Refs      Use  Netif Expire
default            XXX.XXX.XX.113     UGS         0       95    re0
127.0.0.1          link#4             UH          0        0    lo0
192.168.1.0/24     link#8             U           0       51 ovpnc1
192.168.1.194      link#8             UHS         0        0    lo0
192.168.2.0/24    link#2             U           0       46    re1
192.168.2.254     link#2             UHS         0        0    lo0
YYY.YYY.YYY.10     XXX.XXX.XX.113     UGHS        0       21    re0
YYY.YYY.YYY.11     XXX.XXX.XX.113     UGHS        0        2    re0
XXX.XXX.XX.112/29  link#1             U           0     2787    re0
XXX.XXX.XX.117     link#1             UHS         0        0    lo0

    Routing table on 192.168.1.244

    Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         XXX.XXX.XX.113  0.0.0.0         UG        0 0          0 red0
10.1.1.0        192.168.1.208   255.255.255.0   UG        0 0          0 green0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 green0
192.168.2.0    192.168.1.194   255.255.255.0   UG        0 0          0 green0
XXX.XXX.XX.112  0.0.0.0         255.255.255.248 U         0 0          0 red0

    Both problems can be solved by adding the routes to pfsense manually via ssh:

    route del 192.168.1.0
route add -net 192.168.1.0/24 192.168.1.244
route add -net 10.1.1.0/24 192.168.1.244

    I could put these commands in a shell script an let it execute at boot time, but I'm looking for a "clean" solution.

    Is there a way to accomplish this in the webif?

    thanks,
    jakommo

    0
  • K

    You shouldn't use addresses that overlap with either of the LAN nets on the tunnel interfaces. Select a non-overlapping subnet, for example 172.16.2.0/24 and use the first two addresses (.1 and .2) of it on the tunnel network. That way you can be sure there's never any confusion where a packet should be routed to.

    0
  • J

    Hi kpa,

    thanks for your fast response.
    The VPN is a TAP/bridged one, as fas as I understand there is no tunnel on this kind of vpn, or am I missing something?

    Thanks,
    Jakommo

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy