OpenVPN Routing Issue/Question


  • Here is the scenario. We have 2 physical locations that are connected via an IPSec VPN. The main location hosts most of the stuff, but there is stuff at the other location. The main location uses PFsense, the remote uses Watchguard. What I need to do is have users VPN (using openVPN) to the main location and be able to allow access to the remote.

    OpenVPN is setup and works great…for the network attached to PFsense, but will not pass traffic (and I dont see anything in the logs either) to the other network.

    Main Location:
    PFSENSE
    172.16.0.0/16 Network

    Remote:
    Watchguard
    172.17.0.0/24 Network

    PFSENSE RULES
    OpenVPN rules (for testing): Allow any IPv4 traffic to Any destination

    OpenVPN Server Setup:
    RADIUS Auth (which works fine)
    IPv4 Tunnel Network: 192.168.16.0/24
    IPv4 Local Network/s: 172.16.0.0/16,172.17.0.0/24
    Advanced: push "route 172.17.0.0 255.255.255.0" (have tried with and without this)

    Any help would be awesome! Nothing has been configured on the Watchguard (remote site), but I dont actually see the traffic hitting the watchguard traffic monitor either.

    Thanks

  • LAYER 8 Netgate

    You need to add another phase 2 entry to your IPsec tunnel for the 192.168.16.0/24 <-> 172.17.0.0/24.

    Reference the screen shot and the diagram in my signature for the entry necessary on pfSense C to allow pfSense C LAN to communicate with the OpenVPN Remote Access clients on pfSense A.

    ![Screen Shot 2014-11-30 at 10.29.44 AM.png](/public/imported_attachments/1/Screen Shot 2014-11-30 at 10.29.44 AM.png)
    ![Screen Shot 2014-11-30 at 10.29.44 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-30 at 10.29.44 AM.png_thumb)


  • I will try that. I NEVER would've thought of that. I created a second tunnel on the watchguard that is a duplicate of the first working one (with the proper IP changes of course) and no luck. I'm in the process of rebooting the Watchguard as its funny when it authenticates IPSec stuff sometimes. Also rebooting the Watchguard always seems to magically fix stuff haha!


  • You need to do 2 things:

    • Route the remote LAN (172.17.0.0/24) down the Openvpn tunnel… i.e. add push "route 172.17.0.0 255.255.255.0" to your advanced config or add 172.17.0.0/24 to the IPv4 Local Network section (personally I like this option)

    • Need to add a return route for the OpenVPN tunnel network to the IPsec tunnel… i.e. add a second phase 2 entry for 192.168.16.0/24  (I believe the key here is to add an entry to both ends)


  • @marvosa:

    You need to do 2 things:

    • Route the remote LAN (172.17.0.0/24) down the Openvpn tunnel… i.e. add push "route 172.17.0.0 255.255.255.0" to your advanced config or add 172.17.0.0/24 to the IPv4 Local Network section (personally I like this option)

    • Need to add a return route for the OpenVPN tunnel network to the IPsec tunnel… i.e. add a second phase 2 entry for 192.168.16.0/24  (I believe the key here is to add an entry to both ends)

    Thanks for your reply, however the post above you suggested that already and I have indicated that I have done step 1 at this point :)

    All in all, everything is working now.

    Thanks for the reply Derelict, you really helped me out a bunch!


  • Yes, I noticed you already tried adding the push route, but you also stated "(have tried with and without this)" which left it unclear whether it the command was still there, so I figured I'd just throw it out there just in case.

    Just out of curiosity, in your 2nd to last post, you stated changes were made, but it still wasn't working… then your last post states everything is working, but no explanation... can you give us some feedback on what finally fixed your issue?


  • I needed to login to the VPN and ping a 172.17 host for the tunnel to be established.