Pfsense as OpenVPN client, routing issue
I try to connect our branch office to our main office using pfsense as a OpenVPN client on the branch office.
Setup looks like this:
Default GW: 192.168.1.244
OpenVPN Server: 192.168.1.6 (Debian 7. PKI/TAP)
Other Net: 10.1.1.x (routed via .244)
Ovpn Client IP: 192.168.1.194
What I want to accomplish:
The clients on the branch office should reach the Internet using the branch office's WAN and use the OpenVPN for connections to the main office's networks.
What does work:
OpenVPN connects successfully, I can ping from branch to 192.168.1.x and from main to 192.168.2.x. Branch clients also use there WAN for Internet access.
What doesn't work:
- Clients from branch can't ping 10.1.1.x (because they/pfsense do not know about the route there).
- Branch clients can't access a webserver on 192.168.1.x Net. (Browser keeps loading forever).
I think the problem is that connections over OVPN don't use 192.168.1.244 as their GW.
Routing table on pfsense:
Destination Gateway Flags Refs Use Netif Expire default XXX.XXX.XX.113 UGS 0 95 re0 127.0.0.1 link#4 UH 0 0 lo0 192.168.1.0/24 link#8 U 0 51 ovpnc1 192.168.1.194 link#8 UHS 0 0 lo0 192.168.2.0/24 link#2 U 0 46 re1 192.168.2.254 link#2 UHS 0 0 lo0 YYY.YYY.YYY.10 XXX.XXX.XX.113 UGHS 0 21 re0 YYY.YYY.YYY.11 XXX.XXX.XX.113 UGHS 0 2 re0 XXX.XXX.XX.112/29 link#1 U 0 2787 re0 XXX.XXX.XX.117 link#1 UHS 0 0 lo0
Routing table on 192.168.1.244
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 XXX.XXX.XX.113 0.0.0.0 UG 0 0 0 red0 10.1.1.0 192.168.1.208 255.255.255.0 UG 0 0 0 green0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 green0 192.168.2.0 192.168.1.194 255.255.255.0 UG 0 0 0 green0 XXX.XXX.XX.112 0.0.0.0 255.255.255.248 U 0 0 0 red0
Both problems can be solved by adding the routes to pfsense manually via ssh:
route del 192.168.1.0 route add -net 192.168.1.0/24 192.168.1.244 route add -net 10.1.1.0/24 192.168.1.244
I could put these commands in a shell script an let it execute at boot time, but I'm looking for a "clean" solution.
Is there a way to accomplish this in the webif?
You shouldn't use addresses that overlap with either of the LAN nets on the tunnel interfaces. Select a non-overlapping subnet, for example 172.16.2.0/24 and use the first two addresses (.1 and .2) of it on the tunnel network. That way you can be sure there's never any confusion where a packet should be routed to.
thanks for your fast response.
The VPN is a TAP/bridged one, as fas as I understand there is no tunnel on this kind of vpn, or am I missing something?