Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two OpenVPN Services, site2site and client

    OpenVPN
    3
    7
    1069
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      efeu
      last edited by

      Hi,

      first my current situation:

      Box A:
      LAN Subnet 192.168.1.0/24
      Site2site OVPN Server 10.0.8.0/30
      User OVPN Server 10.8.8.0/24 listening on a different port

      Box B:
      LAN Subnet 192.168.0.0/24
      Site2site OVPN Client

      All my computers behind Box A can reach the computers behind Box B and the other way round, so the site2site OVPN does work.

      If i connect from somewhere to my user OVPN service I can reach everything in the Box A Subnet, but I cant reach the Subnet of Box B.

      What do I have to do so that the User OVPN Service let me reach the Subnet of Box B?

      Regards!

      1 Reply Last reply Reply Quote 0
      • M
        MontanaIce
        last edited by

        I registered today just to ask a very similar question to the above. Here is my setup with exact same problem. An user vpning to Site B cannot access any network resources on site A. Im piggybacking onto this thread in hopes that answers here will help both OP and me.

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          In order for your road warrior clients on Box A to reach the subnet behind Box B, you have to do two things:

          • Push 192.168.0.0/24 to your clients

          • Add a return route for the road warrior tunnel network (10.8.8.0/24) to the config on Box B

          Once done, your clients now know that 192.168.0.0/24 should be routed over the tunnel and Box B now knows that replies to traffic sourced from 10.8.8.0/24 will get routed over the tunnel as well.

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            MontanaIce, same answer with different subnets and different sites:

            • Push 10.5.0.0/16 to your clients

            • Add a return route for the road warrior tunnel network (172.16.4.0/24) to Site A

            Just to clarify, this can all done in the config on both ends.

            1 Reply Last reply Reply Quote 0
            • M
              MontanaIce
              last edited by

              Your reply is much appreciated. Unfortunately, I am still stuck somewhere.

              On my OpenVPN user server at site B where the road warriors are connecting to, I have custom option of push "route 10.5.0.0 255.255.0.0".  On the Site A 10.5.0.0 pfSense box, I have static route of destination network 172.16.4.0/24 and the gateway the pfSense's external IP set.

              Did I do it backwards or something?  :)

              1 Reply Last reply Reply Quote 0
              • M
                MontanaIce
                last edited by

                Figured it out. I was supposed to add push 172.16.4.0 255.255.0.0 to the Site-to-Site OpenVPN network settings on Site B not in the system's routing settings.

                Hitting Thanks button on your replies. :)

                1 Reply Last reply Reply Quote 0
                • M
                  marvosa
                  last edited by

                  MontanaIce, Glad it's working!  Just wanted to point out that no manual advanced settings or static routes were required though…. if you put the relevant info into the GUI, the correct openvpn configuration statements are automatically generated.  e.g.:

                  Push 10.5.0.0/16 to your clients

                  This can be added to the server config in the GUI under "IPv4 Local Network/s"

                  Add a return route for the road warrior tunnel network (172.16.4.0/24) to Site A

                  This can be added to the client config in the GUI under "IPv4 Remote Network/s"

                  This will keep everything "cleaner" and within the openvpn config.  It will also be helpful if you ever need to analyse your .conf files and/or GUI options.  Also, while it's working, I don't think you want a static route to the external IP…  I would add the relevant info to the GUI and let PFsense generate the correct directives.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post