OpenVPN Site-to-Site PKI - Route from pfSense to Client LAN not working.



  • Hello,

    I am trying to set up a site-to-site using the Site to Site PKI.  I've looked at several guides and the routing is just not coming up.

    My config is this:

    pfSense 2.1.5 OpenVPN server is as the following

    "Remote Access (SSL/TLS + User Auth)"
    Backend = Local Database
    Protocol = TCP
    device mode = tun
    Interface WAN
    Local Port 8080

    Tunnel Settings
    IPv4 Tunnel ntwk = 10.10.10.0/24
    Local Ntwks = 10.98.98.0/23

    Advanced Config includes:
    route 192.168.10.0 255.255.255.0 vpn_gateway

    The client I'm trying to connect is a Ubiquiti EdgeRouterLite
    it will bring up the tunnel just fine, but I can't get a route to the LAN side of the EdgeRouter built on the pfSense/OpenVPN server
    I do a Client Specific Override which has the following statement in it:

    iroute 192.168.10.0 255.255.255.0

    Again, the tunnel comes up, but I want to be able to reach the 192.168.10.0/24 network from the server side and I can't right now.  I assume I should see a route on the pfsense server side when I do a "netstat -rn" but I'm not seeing that get created.


  • LAYER 8 Netgate

    Advanced Config includes:
    route 192.168.10.0 255.255.255.0 vpn_gateway

    Not sure what that "vpn_gateway" is.

    Try:

    route 192.168.10.0 255.255.255.0;

    in advanced on the server.  I'm surprised it's coming up at all and not bombing out on a syntax error.



  • Thanks for the response.

    I think I found part of the problem…now the route is getting built.  It may be related to this bug:

    https://community.openvpn.net/openvpn/ticket/55

    When you enable the "topology" client setting the route doesn't get created.

    Also, the "vpn_gateway" came from here, the OpenVPN2.3 man page:

    https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

    If you look at the --route option it explains the vpn_gateway keyword.


  • LAYER 8 Netgate

    Sorry.  Not sure what you're trying to do.  If you just put:

    route 192.168.10.0 255.255.255.0; in the server advanced settings and

    iroute 192.168.10.0 255.255.255.0; in the client specific settings it pretty much just works.



  • That's the thing though, it wasn't working.  And it was because of the topology check box I selected.  However,  if I deselect that and add the following in the Advanced Configuration section, it is working now:

    verb 5
    topology p2p
    route 192.168.10.0 255.255.255.0 vpn_gateway

    that is along with the client specific override adding the iroute.


Log in to reply