[SOLVED] How to be able to talk between 2 VPNs



  • HI, I'm struggling with this dilemma for several hours now..

    I need to be able to talk between 2 openvpns inside the same PFsense:

    Scenario:

    Config1:
    openvpn1 server for roadwarrior connections.
    openvpn2 server for Site2Site to another PFsense.

    All PFsense running version 2.1.5

    My Problem:

    Inside openvpn1 I can talk to LAN but NOT to Site2Site LAN.
    Inside LAN I can talk to Site2Site LAN and vice-versa.
    Inside Site2Site LAN I can talk to the remote LAN.

    Help needed:

    How can I accomplish the task when inside the openvpn1 (roadwarrior) to be able to also connect to servers on Site2Site LAN??

    I tried to follow this (and others) very useful links but so far with no success:

    Link1: https://forum.pfsense.org/index.php?topic=68526.0
    Link2: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing

    Hope you guys can point me on some good directions.

    Regards

    JG


  • LAYER 8 Netgate

    If you refer to the diagram, you want the Remote Access, pfSense A LAN and pfSense B LAN to all be able to communicate with each other?




  • In the road warrior server tunnel settings, IPv4 Local Network/s put a comma-separated list of the (usually private) networks that you want the road warriors to know about - including the network/s across the Site2site link/s. Something like:

    10.10.0.0/16,10.20.0.0/16,10.30.0.0/16
    

    Whatever networks you have.
    Then put rules on OpenVPN (for road warrior and site2site) and the LAN at the remote site… to allow traffic to and from all the networks you want.
    I make an alias for all internal networks - InternalNets - and then just put a pass rule everywhere to pass source InternalNets destination InternalNets - that allows internal traffic to flow anywhere, it's easy if you do not want/need to firewall off any bits of your internal network from each other.



  • Thank you ALL, for your quick responses.

    Basically what I need is:

    PFsense A = LAN A
    PFsense B = LAN B

    PFsense A has a Site2Site to PFsense B, using 'sharedkey' as 'Server-Client', and this is working well, but:

    If I connect to PFsense A with OVPN roadwarrior:

    • I Can access to hosts inside LAN A, but not to hosts on LAN B

    What I need, is to connect to LAN B, from INSIDE the Roadwarrior connection, for, not to need to connect to a host on LAN A in order to access those on LAN B.

    Sorry if it was blurry my thoughts, it was late and I was a bit tired.

    Regarding the suggestion from Phil.Davis, I tried that, but although I could see the routing table on the 'RW' Client I wasn't able to access the LAN B. I tried several combinations on the Firewall Rules, but probably none correctly. I'll give a try using your suggestion.

    Thank you all, again.

    Regards.

    JG


  • LAYER 8 Netgate

    Add LAN B's subnet to the IPv4 Local Network/s on the remote access server on pfSense A.

    Add the Remote Access subnet to the IPv4 Local Network/s on the Site-to-Site server on pfSense A going to pfSense B.

    You will need to be sure the Remote Access subnet and pfSense B subnet are both passed on the rules on the OpenVPN tab on pfSense A.

    I think that's all you need to do to get this working.

    You might consider binding interfaces to the OpenVPN server instances on pfSense A and B to give you more control but I don't think it'll be necessary to get this project done.



  • @Derelict:

    Add LAN B's subnet to the IPv4 Local Network/s on the remote access server on pfSense A.

    Add the Remote Access subnet to the IPv4 Local Network/s on the Site-to-Site server on pfSense A going to pfSense B.

    You will need to be sure the Remote Access subnet and pfSense B subnet are both passed on the rules on the OpenVPN tab on pfSense A.

    I think that's all you need to do to get this working.

    You might consider binding interfaces to the OpenVPN server instances on pfSense A and B to give you more control but I don't think it'll be necessary to get this project done.

    Thank you !!! and sorry for the delay on getting back to you..

    For this really to work I had to do 2 more steps to yours:

    1 - On the PFSENSE B, on the Site2Site Client config, add to the 'Remote Nets' Option the Network from the Roadwarrior VPN connection from PFSENSE A, in conjunction to the LAN A network.

    2 On the PFSENSE A, on the Site2Site server config, add to the 'Remote Nets' option the network from the RoadWarrior VPN connection from PFSENSE B, in conjunction to the LAN B network.

    With Step 1 I'm able to access LAN B from INSIDE Roadwarrior VPN on PFSENSE A. –> My original request <--
    With Step 2 I'm able to access LAN A from INSIDE Roadwarrior VPN on PFSENSE B.

    Inside the FIREWALL->OpenVPN rules, I have an ANY-ANY rule.

    Thank you all for taking the time to help us solving this issues.

    If, you guys see fit, I can do an HOW-TO for this type of setup, just let me know.

    Best regards.

    Jorge Gomes


Log in to reply