Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Site-to-Site PKI - Route from pfSense to Client LAN not working.

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    5
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ESalmon98
      last edited by

      Hello,

      I am trying to set up a site-to-site using the Site to Site PKI.  I've looked at several guides and the routing is just not coming up.

      My config is this:

      pfSense 2.1.5 OpenVPN server is as the following

      "Remote Access (SSL/TLS + User Auth)"
      Backend = Local Database
      Protocol = TCP
      device mode = tun
      Interface WAN
      Local Port 8080

      Tunnel Settings
      IPv4 Tunnel ntwk = 10.10.10.0/24
      Local Ntwks = 10.98.98.0/23

      Advanced Config includes:
      route 192.168.10.0 255.255.255.0 vpn_gateway

      The client I'm trying to connect is a Ubiquiti EdgeRouterLite
      it will bring up the tunnel just fine, but I can't get a route to the LAN side of the EdgeRouter built on the pfSense/OpenVPN server
      I do a Client Specific Override which has the following statement in it:

      iroute 192.168.10.0 255.255.255.0

      Again, the tunnel comes up, but I want to be able to reach the 192.168.10.0/24 network from the server side and I can't right now.  I assume I should see a route on the pfsense server side when I do a "netstat -rn" but I'm not seeing that get created.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Advanced Config includes:
        route 192.168.10.0 255.255.255.0 vpn_gateway

        Not sure what that "vpn_gateway" is.

        Try:

        route 192.168.10.0 255.255.255.0;

        in advanced on the server.  I'm surprised it's coming up at all and not bombing out on a syntax error.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • E
          ESalmon98
          last edited by

          Thanks for the response.

          I think I found part of the problem…now the route is getting built.  It may be related to this bug:

          https://community.openvpn.net/openvpn/ticket/55

          When you enable the "topology" client setting the route doesn't get created.

          Also, the "vpn_gateway" came from here, the OpenVPN2.3 man page:

          https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

          If you look at the --route option it explains the vpn_gateway keyword.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Sorry.  Not sure what you're trying to do.  If you just put:

            route 192.168.10.0 255.255.255.0; in the server advanced settings and

            iroute 192.168.10.0 255.255.255.0; in the client specific settings it pretty much just works.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • E
              ESalmon98
              last edited by

              That's the thing though, it wasn't working.  And it was because of the topology check box I selected.  However,  if I deselect that and add the following in the Advanced Configuration section, it is working now:

              verb 5
              topology p2p
              route 192.168.10.0 255.255.255.0 vpn_gateway

              that is along with the client specific override adding the iroute.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post