What route to add ?

nicolasfo

Hello there,

Let's say :

• Machine on the main site is called A
• Machine on the remote site is called B
• There's an OpenVPN server on the main site
• There's a PFSense firewall on the remote site wich connects to the main site using OpenVPN
• A has 192.168.0.0/24 as subnet
• B has 192.168.1.0/24 as subnet
• PFSense has 192.168.1.1 as IP
• OpenVPN server has 192.168.0.2 as IP
• OpenVPN subnet is 172.27.240.0/20

For the moment, B is able to ping and transfert data to A. It's logic because B has as gateway the same machine wich connects to the main site via OpenVPN.
A is unable to find, ping and transfert data to B beacause (I think) I don't mention routes to reach the other sub-network.

I try to set differentes routes in A but it dosent work.

What route must I set to A to able it to "see" B ?

Thanks

Nicolas

viragomann

Is the server set up to "Peer to Peer" mode? If so you have to enter your sites B subnet(s) you want to access from A in the "IPv4 Remote Network/s" field on server configuration tab.
Furthermore, you need a rule at Bs OpenVPN client interface to allow access from A.

nicolasfo

Hello,

The OpenVPN server is an Access Server. I use it to connect remote colleagues.

I don't know if I was clear  :( :

I can acces to site A (main site hosting OpenVPN server) from site B (external site hosting PFSense firewall).
I can't access to site B (external site hosting PFSense firewall) from site A (main site hosting OpenVPN server)

PFsense client can access to the server subnet. Server subnet can't access to the client subnet

Thanks

Nicolas

viragomann

I would recommend to set up an additional distinct server for site to site. It's much easier to configure and to match your goal.

If you want to do it with an access server anyway you have to add an interface for OVPN, add a gateway to this interface with the OVPN servers IP and then add a static route to site Bs subnet over it.
Furhter rules on the new VPN interface will be necessary to allow access.

nicolasfo

You're right, it would be better, unfortunately, I can't install a PFsense machine in the subnet A (the main site).  :'(

You wrote :

If you want to do it with an access server anyway you have to add an interface for OVPN, add a gateway to this interface with the OVPN servers IP and then add a static route to site Bs subnet over it.
Furhter rules on the new VPN interface will be necessary to allow access.

Must I do this on PFSense firewall ?

I read this FAQ part Including multiple machines on the client side when using a routed VPN (dev tun).

I think it's what I need but it dosen't work. Do you confirm ?

Thanks

Nicolas

viragomann

You may run an additional OVPN server on site A listening on another port for site to site. Why not?

I have 4 servers running on one machine.

nicolasfo

I thought to this idea, but it's crappy, no ?  :-\

I've followed this howto wich fits prefectly to my needs but same problem.

Site B can't access to site A.

I think it's a OpenVPN server firewall/forwarding issue…

Any idea ?

Thanks

EDIT : I precise that the OVPN server situated in the site A pings well the site B.
I set as gateway on clients on site A the OVPN server.