Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client routing to site to site vpn

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sykotex
      last edited by

      Hi
      I have a lan site (192.168.1.0/24) and a site to site openvpn set up to a remote site(192.168.10.0/24) and a client openvpn setup.
      The clients are not able to access any hosts set up on the remote site across the site to site vpn subnet (192.168.10.0/24).
      I have tried adding the (192.168.10.0/24) alongside the local lan on the opnevpn client "IPv4 Local Network/s" but I cannot still access the subnet on the site to site vpn side.
      I also tried forwarding ports from the main sites router to the site to site remote subnet and this does not work.

      How do I get the clients to be able to connect to the hosts on the remote site to site vpn?

      Or how can I forward ports through the vpn to the remote site?

      Many thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You also have to push a route for the remote clients to the remote site-to-site.

        Look at the diagram in my sig.

        It sounds like you want Remote Access clients to be able to connect to assets on pfSense B LAN and possibly vice versa.

        You can trace the connection flow.  Everywhere traffic is sent out, there has to be a route for the ultimate destination.  This applies in both directions.

        Everywhere a connection ENTERS a pfSense node, there has to be a firewall rule passing the traffic.

        For the Remote Access clients to be able to establish connections to pfSense B LAN assets, there has to be a firewall rule permitting that traffic on pfSense A's OVPNS3 tab, and pfSense B's OVPNC1 tab.

        For pfSense B LAN hosts to be able to establish connections to Remote Access assets, there has to be a firewall rule permitting that traffic on pfSense A's OVPNS1 tab and nothing in the OpenVPN settings or on the host itself on the Remote Access clients blocking the inbound connection.

        If you don't use OpenVPN assigned interfaces, then simply each pfSense's OpenVPN tab.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          On LAN site "road warrior" OpenVPN server in Local Network/s you need to list all the networks that are available to the road warrior clients through the OpenVPN server - the local LAN and the LAN subnet at remote site.

          On LAN end site-to-site OpenVPN, put LAN subnet and road warrior tunnel subnet in Local Network/s. Put remote subnet in Remote Network/s.

          On remote end site-to-site OpenVPN put Local and Remote the other way around.
          (on some ends there will only be local or remote bix available - fill in what is there)\

          Make sure you have pass rules for traffic arriving at every interface, like Derelict says.

          Use traceroute and packet capture to find out where the traffic reaches, stops or deviates from the expected path.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.