Configure OpenVPN server to route traffic through existing site-to-site OpenVPN
-
I want to route traffic from an OpenVPN server to an existing site-to-site OpenVPN, but cannot figure out how. I have pushed the route to the clients.
ping/tracert 192.168.88.x from the client shows traffic hitting the OpenVPN server at 10.0.9.1, then stopping. I want it routed over the site-to-site vpn.
All firewalls are set up as allow any/any for testing purposes.Here's a primitive diagram of my problem. The blue and green work, but the dotted does not!
-
This looks like a common C->A->B scenario where you're asking for C->B.
It can be done a number of ways, often you need only make sure you push the route for B (192.168.88.0/24) to C via Server A's config.
You could also consider swapping the Server and Client roles for A&B so your setup looks like C->A<-B to centralize the routing issues into A.
That may or may not simplify your situation….Post your A & B server configs and we may be able to help you more.
-
So can clients connected to your pfsense that are not road warriors get to this remote sites network? Can the remote site get to your networks attached to pfsense? Does this remote site know a route back to this 10.0.9/24 tunnel network your road warriors are getting?
-
This looks like a common C->A->B scenario where you're asking for C->B.
It can be done a number of ways, often you need only make sure you push the route for B (192.168.88.0/24) to C via Server A's config.
You could also consider swapping the Server and Client roles for A&B so your setup looks like C->A<-B to centralize the routing issues into A.
That may or may not simplify your situation….Post your A & B server configs and we may be able to help you more.
Thanks for the tips. I cannot reverse the server/client roles because i don't own the 'B' site.
I am pushing the route to C via Server A's config:
I've tried
-
adding the 'B' network to the "IPv4 Local Network/s" section of the 'A' server config (along with the LAN network – csv separated) like this: 192.168.0.0/24,192.168.88.0/24
-
adding a push "route 192.168.88.0/24" to the advanced settings of the server at site A
-
both the previous options combined
For any of these configurations, the C site clients' traffic does get routed to the OpenVPN server at Site A when they request IP's in the Site B range, but the traffic never makes it out of Site A.
If I don't use any of those three options, the traffic gets routed out my default GW instead of the VPN, so I know it's working at least on the client 'C' side.
The problem is when it reaches site 'A' it dies.
-
-
If you can not change config at B site you can get access if you do NAT at A.
To do so you have to assign an interface to the VPN client and to VPN server, if you haven't done allready.
In site A's client settings add the remote subnet 192.168.88.0/24 to "IPv4 Remote Network/s" and in server settings add it to "IPv4 Local Network/s".
Go to outbound NAT. If it is set to "automatic rule generation", select hybrid or manual and hit save.
Add a new rule, select your VPN client interface and leave all the other setting at their defaults, enter a description and save it.Now the source addresses of packets get translated to the site A's vpn client address when packets leave pfSense on the vpn interface, in consequence now responses from B are routed back to site A.
-
If you can not change config at B site you can get access if you do NAT at A.
To do so you have to assign an interface to the VPN client and to VPN server, if you haven't done allready.
In site A's client settings add the remote subnet 192.168.88.0/24 to "IPv4 Remote Network/s" and in server settings add it to "IPv4 Local Network/s".
Go to outbound NAT. If it is set to "automatic rule generation", select hybrid or manual and hit save.
Add a new rule, select your VPN client interface and leave all the other setting at their defaults, enter a description and save it.Now the source addresses of packets get translated to the site A's vpn client address when packets leave pfSense on the vpn interface, in consequence now responses from B are routed back to site A.
This worked! Thanks
