[Chugalug] site-to-site multi-lan openvpn routing

Matt Keys mk6032 at yahoo.com
Tue Mar 18 11:48:39 UTC 2014


I'm hoping someone more familiar with openvpn advanced options can 
assist. I'm pretty sure it's a minor routing issue. I've tried to follow 
the setup instructions here : 
https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 
, the difference being I don't want to route traffic destined for the 
internet through the tunnel -- just the inter-lan traffic. I have ..

site A (client)
pfsense 2
  - wan $wanip1
  - lan 192.168.1.0/24
  - opt1 192.168.10.0/24
  - opt2 $wanip2
  - opt3 172.16.1.0/24
  - opt4 172.16.2.0/24

site B (server)
pfsense 2
  - wan $wanip3
  - lan 192.168.20.0/24

I want 192.168.20.0/24 to be able to see 172.16.1.0/24, 172.16.2.0/24, 
192.168.10.0/24, and 192.168.30.0/24 (and vice versa). Don't worry about 
.10 or .30 for now, I'm only conerned with 172.16.1.0/24 and 
172.16.2.0/24 for testing.

When I bring up the tunnel I can ping from a site A pfsense to site B vm 
in the LAN (192.168.20.2 ), but I can't ping through the tunnel from a 
host in site A to a host in site B.

Inversely, site B pfsense doesn't get any responses from site A pfsense 
pings, or through to a host in site A opt3, opt4, or opt1.

Site B is using for openvpn server options ..

ipv4 tunnel network: 192.168.254.0/24
ipv4 local network/s : 192.168.20.0/24
ipv4 remote network/s: 172.16.1.0/24,172.16.2.0/24

under advanced I have "client-to-client"

Site A is using for openvpn client options ..

ipv4 tunnel network: 192.168.254.0/24
ipv4 remote network/s: 172.16.1.0/24,172.16.2.0/24

Under the client specific overrides tab, I have in advanced ..

iroute 172.16.1.0 255.255.255.0;
iroute 172.16.2.0 255.255.255.0

Site B shows in diagnostics -> routes ..

default    wanip3.gw.here    UGS    0    244043    1500    em0
8.8.4.4   wanip3.gw.here    UGHS    0    6258    1500    em0
8.8.8.8    wanip3.gw.here    UGHS    0    214422    1500    em0
127.0.0.1    link#5    UH    0    14251    16384    lo0
172.16.1.0/24    192.168.254.2    UGS    0    6    1500    ovpns1
172.16.2.0/24    192.168.254.2    UGS    0    0    1500    ovpns1
192.168.20.0/24    link#2    U    0    35189    1500    re0
192.168.20.1    link#2    UHS    0    0    16384    lo0
192.168.254.0/24    192.168.254.2    UGS    0    0    1500 ovpns1
192.168.254.1    link#8    UHS    0    0    16384    lo0
192.168.254.2    link#8    UH    0    0    1500    ovpns1
208.67.220.220    wanip3.gw.here    UGHS    0    6245    1500 em0
208.67.222.222    wanip3.gw.here   UGHS    0    6245    1500 em0
wanip3.subnet/29    link#1    U    0    1316630    1500    em0
wanip3    link#1    UHS    0    0    16384    lo0

Firewall rules are all good for both directions. I don't see any drops 
in the pf logs.

Regards,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140318/f84a2576/attachment.html>


More information about the Chugalug mailing list