OpenVPN client routing to site to site vpn



  • Hi
    I have a lan site (192.168.1.0/24) and a site to site openvpn set up to a remote site(192.168.10.0/24) and a client openvpn setup.
    The clients are not able to access any hosts set up on the remote site across the site to site vpn subnet (192.168.10.0/24).
    I have tried adding the (192.168.10.0/24) alongside the local lan on the opnevpn client "IPv4 Local Network/s" but I cannot still access the subnet on the site to site vpn side.
    I also tried forwarding ports from the main sites router to the site to site remote subnet and this does not work.

    How do I get the clients to be able to connect to the hosts on the remote site to site vpn?

    Or how can I forward ports through the vpn to the remote site?

    Many thanks


  • LAYER 8 Netgate

    You also have to push a route for the remote clients to the remote site-to-site.

    Look at the diagram in my sig.

    It sounds like you want Remote Access clients to be able to connect to assets on pfSense B LAN and possibly vice versa.

    You can trace the connection flow.  Everywhere traffic is sent out, there has to be a route for the ultimate destination.  This applies in both directions.

    Everywhere a connection ENTERS a pfSense node, there has to be a firewall rule passing the traffic.

    For the Remote Access clients to be able to establish connections to pfSense B LAN assets, there has to be a firewall rule permitting that traffic on pfSense A's OVPNS3 tab, and pfSense B's OVPNC1 tab.

    For pfSense B LAN hosts to be able to establish connections to Remote Access assets, there has to be a firewall rule permitting that traffic on pfSense A's OVPNS1 tab and nothing in the OpenVPN settings or on the host itself on the Remote Access clients blocking the inbound connection.

    If you don't use OpenVPN assigned interfaces, then simply each pfSense's OpenVPN tab.



  • On LAN site "road warrior" OpenVPN server in Local Network/s you need to list all the networks that are available to the road warrior clients through the OpenVPN server - the local LAN and the LAN subnet at remote site.

    On LAN end site-to-site OpenVPN, put LAN subnet and road warrior tunnel subnet in Local Network/s. Put remote subnet in Remote Network/s.

    On remote end site-to-site OpenVPN put Local and Remote the other way around.
    (on some ends there will only be local or remote bix available - fill in what is there)\

    Make sure you have pass rules for traffic arriving at every interface, like Derelict says.

    Use traceroute and packet capture to find out where the traffic reaches, stops or deviates from the expected path.


Log in to reply