OpenVPN Site-to-Site PKI - Route from pfSense to Client LAN not working.

  • Hello,

    I am trying to set up a site-to-site using the Site to Site PKI.  I've looked at several guides and the routing is just not coming up.

    My config is this:

    pfSense 2.1.5 OpenVPN server is as the following

    "Remote Access (SSL/TLS + User Auth)"
    Backend = Local Database
    Protocol = TCP
    device mode = tun
    Interface WAN
    Local Port 8080

    Tunnel Settings
    IPv4 Tunnel ntwk =
    Local Ntwks =

    Advanced Config includes:
    route vpn_gateway

    The client I'm trying to connect is a Ubiquiti EdgeRouterLite
    it will bring up the tunnel just fine, but I can't get a route to the LAN side of the EdgeRouter built on the pfSense/OpenVPN server
    I do a Client Specific Override which has the following statement in it:


    Again, the tunnel comes up, but I want to be able to reach the network from the server side and I can't right now.  I assume I should see a route on the pfsense server side when I do a "netstat -rn" but I'm not seeing that get created.

  • LAYER 8 Netgate

    Advanced Config includes:
    route vpn_gateway

    Not sure what that "vpn_gateway" is.



    in advanced on the server.  I'm surprised it's coming up at all and not bombing out on a syntax error.

  • Thanks for the response.

    I think I found part of the problem…now the route is getting built.  It may be related to this bug:

    When you enable the "topology" client setting the route doesn't get created.

    Also, the "vpn_gateway" came from here, the OpenVPN2.3 man page:

    If you look at the --route option it explains the vpn_gateway keyword.

  • LAYER 8 Netgate

    Sorry.  Not sure what you're trying to do.  If you just put:

    route; in the server advanced settings and

    iroute; in the client specific settings it pretty much just works.

  • That's the thing though, it wasn't working.  And it was because of the topology check box I selected.  However,  if I deselect that and add the following in the Advanced Configuration section, it is working now:

    verb 5
    topology p2p
    route vpn_gateway

    that is along with the client specific override adding the iroute.

Log in to reply