Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] How to be able to talk between 2 VPNs

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      magoo_it
      last edited by

      HI, I'm struggling with this dilemma for several hours now..

      I need to be able to talk between 2 openvpns inside the same PFsense:

      Scenario:

      Config1:
      openvpn1 server for roadwarrior connections.
      openvpn2 server for Site2Site to another PFsense.

      All PFsense running version 2.1.5

      My Problem:

      Inside openvpn1 I can talk to LAN but NOT to Site2Site LAN.
      Inside LAN I can talk to Site2Site LAN and vice-versa.
      Inside Site2Site LAN I can talk to the remote LAN.

      Help needed:

      How can I accomplish the task when inside the openvpn1 (roadwarrior) to be able to also connect to servers on Site2Site LAN??

      I tried to follow this (and others) very useful links but so far with no success:

      Link1: https://forum.pfsense.org/index.php?topic=68526.0
      Link2: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing

      Hope you guys can point me on some good directions.

      Regards

      JG

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If you refer to the diagram, you want the Remote Access, pfSense A LAN and pfSense B LAN to all be able to communicate with each other?

        pfSense+OpenVPN.png
        pfSense+OpenVPN.png_thumb

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          In the road warrior server tunnel settings, IPv4 Local Network/s put a comma-separated list of the (usually private) networks that you want the road warriors to know about - including the network/s across the Site2site link/s. Something like:

          10.10.0.0/16,10.20.0.0/16,10.30.0.0/16
          

          Whatever networks you have.
          Then put rules on OpenVPN (for road warrior and site2site) and the LAN at the remote site… to allow traffic to and from all the networks you want.
          I make an alias for all internal networks - InternalNets - and then just put a pass rule everywhere to pass source InternalNets destination InternalNets - that allows internal traffic to flow anywhere, it's easy if you do not want/need to firewall off any bits of your internal network from each other.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • M
            magoo_it
            last edited by

            Thank you ALL, for your quick responses.

            Basically what I need is:

            PFsense A = LAN A
            PFsense B = LAN B

            PFsense A has a Site2Site to PFsense B, using 'sharedkey' as 'Server-Client', and this is working well, but:

            If I connect to PFsense A with OVPN roadwarrior:

            • I Can access to hosts inside LAN A, but not to hosts on LAN B

            What I need, is to connect to LAN B, from INSIDE the Roadwarrior connection, for, not to need to connect to a host on LAN A in order to access those on LAN B.

            Sorry if it was blurry my thoughts, it was late and I was a bit tired.

            Regarding the suggestion from Phil.Davis, I tried that, but although I could see the routing table on the 'RW' Client I wasn't able to access the LAN B. I tried several combinations on the Firewall Rules, but probably none correctly. I'll give a try using your suggestion.

            Thank you all, again.

            Regards.

            JG

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Add LAN B's subnet to the IPv4 Local Network/s on the remote access server on pfSense A.

              Add the Remote Access subnet to the IPv4 Local Network/s on the Site-to-Site server on pfSense A going to pfSense B.

              You will need to be sure the Remote Access subnet and pfSense B subnet are both passed on the rules on the OpenVPN tab on pfSense A.

              I think that's all you need to do to get this working.

              You might consider binding interfaces to the OpenVPN server instances on pfSense A and B to give you more control but I don't think it'll be necessary to get this project done.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • M
                magoo_it
                last edited by

                @Derelict:

                Add LAN B's subnet to the IPv4 Local Network/s on the remote access server on pfSense A.

                Add the Remote Access subnet to the IPv4 Local Network/s on the Site-to-Site server on pfSense A going to pfSense B.

                You will need to be sure the Remote Access subnet and pfSense B subnet are both passed on the rules on the OpenVPN tab on pfSense A.

                I think that's all you need to do to get this working.

                You might consider binding interfaces to the OpenVPN server instances on pfSense A and B to give you more control but I don't think it'll be necessary to get this project done.

                Thank you !!! and sorry for the delay on getting back to you..

                For this really to work I had to do 2 more steps to yours:

                1 - On the PFSENSE B, on the Site2Site Client config, add to the 'Remote Nets' Option the Network from the Roadwarrior VPN connection from PFSENSE A, in conjunction to the LAN A network.

                2 On the PFSENSE A, on the Site2Site server config, add to the 'Remote Nets' option the network from the RoadWarrior VPN connection from PFSENSE B, in conjunction to the LAN B network.

                With Step 1 I'm able to access LAN B from INSIDE Roadwarrior VPN on PFSENSE A. –> My original request <--
                With Step 2 I'm able to access LAN A from INSIDE Roadwarrior VPN on PFSENSE B.

                Inside the FIREWALL->OpenVPN rules, I have an ANY-ANY rule.

                Thank you all for taking the time to help us solving this issues.

                If, you guys see fit, I can do an HOW-TO for this type of setup, just let me know.

                Best regards.

                Jorge Gomes

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.