Access LAN behind OpenVPN client
-
@Derelict, the point is that I want to allow access only to that specific server using a host route.
Why do you think, from a technical point of view, that is wrong?
Thanks
-
There are far too many variables in play and too little information to make a guess. If it were me, I would push the /24 to the clients and limit what they can access using firewall rules on the OpenVPN tab/interface. That way, as policies change, you're not mucking about in your OpenVPN server config and are just adding/moving/changing firewall rules.
-
As said above, use firewall rules on the OpenVPN tab, do not mess with remote networks.
-
Guys, I really appreciate the input, however that /32 route is not the issue. The /24 route that pfSense is supposed to install on itself pointing to the LAN behind the Mikrotik client is the issue.
Any thoughts on that?
-
Sigh. pfSense has NO /24 route to install. You replaced that with the /32 nonsense. Then there's also this /30 nonsense. Just what are you trying to do there?
-
LE: my bad, I've accidentally switched the pictures. I've just corrected them in the initial post. Sorry once again
-
Why does not the CSC tunnel network match the tunnel network configured on the server? Just check on 3 sites and this "just works" when you do things consistently. Like
- topology set to subnet in OpenVPN Server settings, instead of the horrible net30 thing.
- no /30 anywhere in CSC
- no /32 anywhere at all
- use matching subnets across the client and server
- use firewall rules to limit access
-
Because I would like to allocate specific /30 prefixes for specific clients.
-
Because I would like to allocate specific /30 prefixes for specific clients.
That's what done by default with topology net30 in the server settings (generally horrible thing and cannot see how's that desirable for the goal you want, at all…)
-
however that /32 route is not the issue.
If you know what the issue is (or is not), why are you here asking for help?
-
Also, if you are trying to make your life a real pain by emulating some wannabe static DHCP in OpenVPN, the CSC should allocate /30 at the end of the /24 pool. Not from the beginning! Plus, limit the number of allowed connections so that they are not assigned to someone else anyway.
Finally, those tunnels must be "Peer To Peer", not Remote Access (good that we have ~4K resolution screenshot with half of the settings missing. ::))
-
OK, so we've finally came to a conclusion: I missed the "peer to peer" vs "remote access" configuration, but now that you guys mentioned it makes perfect sense. I'll try to see what I can do and post my findings here, should anyone be interested.
On a more general topic, @doktornotor, I really appreciate your suggestions and technical feedback (although I don't agree with some of them you have a fair technical point / concern). What I didn't appreciate that much was the tone and little sarcasm which I think could have been avoided.
Thanks