OpenVPN access to remote networks


  • We have three sites that are connected to each other through an MPLS circuit using Cisco routers and Fiber1.

    East - 172.16.0.0/21
    West - 172.16.8.0/21
    South - 172.16.16.0/21

    Each site has it's own pfSense firewall, with access to two WANs, primary (Fiber2) and backup (Comcast).  All of this works well.

    The East site has an OpenVPN connection added to it. Connections can access the entire East network, but cannot access West or South.

    The OpenVPN setup page defines:

    Tunnel: 172.18.1.0/24
      Local Area Network: 172.16.0.0/21
      Advanced: push "route 172.16.8.0 255.255.248.0";push "route 172.16.72.0 255.255.248.0"

    I have verified that our Windows clients do have the route statements in their route table.

    I have a MPLS_Gateway defined for the MPLS in System: Gateways.
    I have Route statements for West and South in System: Static Routes that use MPLS_Gateway.

    TCP, UDP & ICMP all fail to connect to West and South.

    What am I missing?


  • Verified that there is a rule on the OpenVPN tab that state that passes all traffic. Any source IP, any port to any destination IP, any port.


  • I have read here in another post that entering the push route command in advanced options is deprecated and shouldn't be used anymore. All accessible networks should be entered at "Local networks" as comma separated list now. In your case: "172.16.0.0/21, 172.16.8.0/21,172.16.16.0/21"

    I don't know if this can solve your problem. I assume the hosts at West and South can be reached from an East host?


  • Thanks! The problem is that I am not deprecated … I am still running 2.0.1.
    I have new hardware that I will deploy in the next couple of weeks and will deploy that with 2.1.
    I discovered that I am missing any iroute commands, so I am pursuing how to add them.

    Also, I am wondering if my MPLS router needs a static route placed into it that says, "if you want to get back to 172.18.1.0/24, go here."


  • Still working on this problem …  :o

    I was reading through the 2.1 manual and saw that I should add route statements to the Advanced section of the OpenVPN server setup. I have:

    route 172.16.8.0 255.255.248.0;route 172.16.16.0 255.255.248.0;push "route 172.16.8.0 255.255.248.0";push "route 172.16.16.0 255.255.248.0"

    as well as add a Client Specific Overide statement that looks like this:

    iroute 172.16.8.0 255.255.248.0;iroute 172.16.16.0 255.255.248.0;

    It didn't resolve the problem.

    I can access these other networks from the LAN. I simply cannot access them when connected via VPN.


  • I can also ping the other sites from the firewall's LAN interface.


  • iroutes cannot go in the global as openvpn will not know which client has which route

    the clients specifics stuff for West
    iroute 172.16.8.0 255.255.248.0;

    for client specific South
    iroute 172.16.16.0 255.255.248.0;

    https://community.openvpn.net/openvpn/wiki/RoutedLans


  • I noticed that when I ran with that config, that my Windows PC no longer had any routing information in it for the remote networks. I returned it the two simple push statements.

    I no longer believe that the problem is in the OpenVPN configuration, but rather, is in the lack of static routes in the gateway and router at each of the sites. Your link https://community.openvpn.net/openvpn/wiki/RoutedLans pretty well documents the problem in the section called, "ROUTES TO ADD OUTSIDE OF OPENVPN".

    Thanks for the links! They were very helpful in my understanding of what iroutes really do.