[solved] OpenVPN Client can reach 192.x.x.x but not other LAN subnets?
-
Hi,
I'm a bit of a newb here, and I need some advice.
We have been running pfSense for a while now, working great. I have OpenVPN clients connecting up to the 10.0.8.0 network (default I believe).
Our main corporate network is 192.168.1.0 / 255.255.255.0
I have an industrial machine that sits on the same physical network, but on IP 172.16.21.98 / 255.255.0.0
My question is… when I'm here at the office I can change my IP to something in the 172 network, and communicate with the industrial machine. When I VPN in, I have no way to get to it. I see nothing in the config that handles the 10.* network and routes it over to the 192.* network, it has just always worked.
Is there a way I can get a VPN client over to the 172. network? I have a gap in my knowledge of how this part of the VPN works.
It seems cross-subnet communication is handled somewhere to allow 10. clients to get to 192. clients, but I'm not sure where I can add the 172 net…
Thanks.
-
you will need to let your vpn clients know that their is a ROUTE TO the industrial pcs (see push route openvpn)
the industrial pc's will need to have their gateway set to pfSense… (this is probably currently not possible because of the seperate subnet, since pfSense probably does not have an ip in that range)option1:
ideally, you buy a vlan-capable switch. and create a new vlan for the industrial machine (need to config the switch and pfsense to work with vlans).
you should read up on vlans if you wish to go this route. this will be the best way to move forward.option2:
you choose the messy road of "VIP' (https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F)
-Create an IP alias in the subnet of your industrial pc's on your LAN interface
-Create custom firewall rules with source=indust_pc_subnet
-modify openvpn config that includes the "push route" to this subnet -
Okay, that makes sense. Thanks for your time..
One last question if you can…
Is there a default route in OpenVPN on the server config to know what my LAN range is? I don't see that route specifically in the client config.
I think I found a workaround to the whole process, but I appreciate your suggestions and can take it from there.
-
there should be a field in the openvpn server config named: "IPv4 Local Network/s"
all subnets declared there get an automatic "push route' statement added in the underlying config.