Two OpenVPN servers: road warriors cannot contact s2s
-
Hi all,
I'm having some trouble configuring my OpenVPN on pfSense. It's quite similar to this topic, but not exactly the same though.
I have my pfSense configured with two OpenVPN servers: one for s2s and one for roadwarriors. Now individually they all work properly. There are three other sites which connect over the internet to my pfSense box (in the cloud). My pfSense LAN is 172.16.1.200 (/24) and my sites have 172.16.11.200, .21.200 and .31.200, all /24. As said, it works as it should. Routes are set up through ccd. Internet is not routed with this VPN. This OpenVPN utilizes 10.4.0.0/24.
Besides the s2s, I have the roadwarriors. Mobile clients should connect to the cloud. In this case, all traffic is routed (redirect gateway). This OpenVPN uses 10.8.0.0/24. Internet works properly on this device and I'm also able to contact the cloud server.
The problem is however that I cannot contact one of the sites from a road warrior client. I don't know what is causing this. I assume that all traffic is routed through the pfSense box as I have redirect gateway enabled. The log files seem to confirm this. To make sure the firewall is not the problem, I have created a couple of test rules that allow all traffic from or to both OpenVPN instances and let them log their actions. When I check the logfiles I see this, which is when I want to visit the HTTPS interface of the site1 router.
pass/1432064064 May 20 07:20:48 OVPNS1 10.8.0.6:41659 172.16.11.200:443 TCP:S pass/1432064064 May 20 07:20:48 Direction=OUT OVPNS0 10.8.0.6:41659 172.16.11.200:443 TCP:S
It does not load however and I get a timeout after 4 minutes. The routing table in pfSense looks fine and I'm able to ping this 172.16.11.200 from the diagnostics ping function.
Does anyone have a clue where I can find the solution?
Kind regards,
Dennis -
I painted an image for you folks ::)
So the trouble is connecting from ovpns1 to ovpns0.
Kind regards,
Dennis -
Hi,
as the log shows, the packets are passed out OVPNS0 interface. However, I think response from 172.16.11.200 doesn't know to get back to 10.8.0.6.
Enter the roadwarriors tunnel network 10.8.0.0/24 in "Locale Network(s)" field at S2S configuration tab to get the route to this network pushed to OVPNS0 clients. -
Thank you for your response! Sometimes a solution is really simple but you just forget to think about it. Great that a forum like this has other users who are experienced and who can give you the right tips. You made my day, it all works flawlessly! ;D
Kind regards,
Dennis