Two OpenVPN Services, site2site and client



  • Hi,

    first my current situation:

    Box A:
    LAN Subnet 192.168.1.0/24
    Site2site OVPN Server 10.0.8.0/30
    User OVPN Server 10.8.8.0/24 listening on a different port

    Box B:
    LAN Subnet 192.168.0.0/24
    Site2site OVPN Client

    All my computers behind Box A can reach the computers behind Box B and the other way round, so the site2site OVPN does work.

    If i connect from somewhere to my user OVPN service I can reach everything in the Box A Subnet, but I cant reach the Subnet of Box B.

    What do I have to do so that the User OVPN Service let me reach the Subnet of Box B?

    Regards!



  • I registered today just to ask a very similar question to the above. Here is my setup with exact same problem. An user vpning to Site B cannot access any network resources on site A. Im piggybacking onto this thread in hopes that answers here will help both OP and me.



  • In order for your road warrior clients on Box A to reach the subnet behind Box B, you have to do two things:

    • Push 192.168.0.0/24 to your clients

    • Add a return route for the road warrior tunnel network (10.8.8.0/24) to the config on Box B

    Once done, your clients now know that 192.168.0.0/24 should be routed over the tunnel and Box B now knows that replies to traffic sourced from 10.8.8.0/24 will get routed over the tunnel as well.



  • MontanaIce, same answer with different subnets and different sites:

    • Push 10.5.0.0/16 to your clients

    • Add a return route for the road warrior tunnel network (172.16.4.0/24) to Site A

    Just to clarify, this can all done in the config on both ends.



  • Your reply is much appreciated. Unfortunately, I am still stuck somewhere.

    On my OpenVPN user server at site B where the road warriors are connecting to, I have custom option of push "route 10.5.0.0 255.255.0.0".  On the Site A 10.5.0.0 pfSense box, I have static route of destination network 172.16.4.0/24 and the gateway the pfSense's external IP set.

    Did I do it backwards or something?  :)



  • Figured it out. I was supposed to add push 172.16.4.0 255.255.0.0 to the Site-to-Site OpenVPN network settings on Site B not in the system's routing settings.

    Hitting Thanks button on your replies. :)



  • MontanaIce, Glad it's working!  Just wanted to point out that no manual advanced settings or static routes were required though…. if you put the relevant info into the GUI, the correct openvpn configuration statements are automatically generated.  e.g.:

    Push 10.5.0.0/16 to your clients

    This can be added to the server config in the GUI under "IPv4 Local Network/s"

    Add a return route for the road warrior tunnel network (172.16.4.0/24) to Site A

    This can be added to the client config in the GUI under "IPv4 Remote Network/s"

    This will keep everything "cleaner" and within the openvpn config.  It will also be helpful if you ever need to analyse your .conf files and/or GUI options.  Also, while it's working, I don't think you want a static route to the external IP…  I would add the relevant info to the GUI and let PFsense generate the correct directives.