OpenVpn Client and Server at same time



  • Hi.
    I´ve o pfSense Gateway in my Lan that its client for one remote OpenVpn, and at same time work as OpenVpn server:

    From LAN 10.200.1.X can ping LAN 10.100.6.X and LAN 10.100.1.X
    From LAN 10.100.6.X can ping 10.200.1.X but can't ping LAN 10.100.1.X

    pfSense OpenVpn Client config:

    persist-key;
    persist-tun;
    route-nopull;
    route 10.100.1.0 255.255.255.0;

    pfSense OpenVpn Server config:

    route 10.100.6.0 255.255.255.0;
    push "route 10.200.1.0 255.255.255.0";
    push "route 10.100.1.0 255.255.255.0";

    pfSense OpenVPN client specific overrides:

    iroute 10.100.6.0 255.255.255.0;
    ifconfig-push 10.200.10.2 10.200.10.1;

    In firewall –> rules --> openvpn i´ve a rule allowing all.

    Its posible LAN 10.100.6.X has routed to the 10.100.1.X?? I´ve not control the second OpenVpn server (cant configure it)

    Thanks



  • So your setup involves an OpenVPN Server and Client on pfsense (Server "A") talking to some other OpenVPN Server (Server "B").

    In order for 10.100.6.x to "find" 10.100.1.x, you need to configure a route in Server "A" telling it's clients that they can route traffic to 10.100.1.x .  That's a straightforward "push route" option in Server "A".

    Unfortunately you also need a route in Server "B" telling it's client's that they can route traffic to 10.100.6.x.  If you can't modify Server "B" (or at least add routes into the clients of Server "B") you're going to be hard pressed to make this work.



  • A couple things:

    1.  Without seeing the configs we can only speculate, but my best guess is the OpenVPN server on the remote end does not know how to reach the 10.100.6.x subnet, so return traffic is being dropped.  Most likely the remote end is missing a return route for the 10.100.6.x subnet.

    2.  If I'm not mistaken, "iroute" is a server-side directive, so you can remove "iroute 10.100.6.0 255.255.255.0;" from your client config.


Log in to reply