Openvpn – Pfsense OpenVPN Site to Site Routing issues

openvpnpfsenseroutingsite-to-site-vpn

I know this question has been asked a plethora of times before and I have looked over probably 100 different answers and still can't seem to get this to work.

I'm trying to create a very simple site to site openvpn connection. I have the connection setup and working between the two locations however I cannot get the routing setup to communicate between the devices on the different networks.

Site A (Main): 192.168.1.0/24

Site B: 192.168.2.0/24

VPN Tunnel: 10.1.10.0/24

Trace Route fails after first attempt so the it looks like the route isn't working at all.

Any help would be fantastic!

Best Answer

Answer comes in form of a question. Where is your NAT rule which is going to translate outbound traffic? You should have outbound NAT on the site of your server set like this:

Interface: the one you are using for your tunnel

Protocol: any

Source: network from other site

Destination: any

And under translation

Adress: interface address

You need outbound NAT because otherwise you aren't able to use tunnel. Simply because your router don't know the route to the network on the other site. But if you translate source address to your tunnel interface address then it will be able to respond.

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Here's what may be an issue. Imagine you have following network:

address pool: 10.1.1.0/255.255.255.0
router: 10.1.1.1
internal interface on internal vpn server: 10.1.1.2
some external machine that VPNs to network: 10.2.2.2
some internal client machine: 10.1.1.90

When you trying to access SIC from external VPN box, then traffic route goes like this:

10.2.2.2
vpn (internet)
10.1.1.2
10.1.1.90
OK

Seems fine, HOWEVER, in order for traffic to flow, the 10.1.1.90 machine should be able to respond and that means that packets from it must be routable to 10.2.2.2 too. Internal client has obviously ip: 10.1.1.90, mask: 255.255.255.0 and router: 10.1.1.90. Therefore, packets would be routed like this:

10.1.1.90
10.1.1.1 (sine it is router, and 10.2.2.2 is not directly addressable)
internet
NOT FOUND

Basically, reply packets will not even reach VPN. What can you do? Obviously, what will work is to add route to internal client to route all packets to 10.2.2.2 not to VPN box instead of router, such as (Windows box):

route add 10.2.2.0 mask 255.255.255.0 10.1.1.2

this will resolve the problem on single-machine level. Reply packets will go:

10.1.1.90
10.1.1.2 (explicit route)
vpn (internet)
10.2.2.2

To resolve issue on the network level, you must modify router in a same matter to redirect all traffic going to 10.2.2.0 to 10.1.1.2. This way reply packet will go:

10.1.1.90
10.1.1.1
10.1.1.2
vpn (internet)
10.2.2.2

Another solution is: make your VPN box to NAT on 10.1.1.2 interface. This way for internal machines it will look as if all the traffic originates from 10.1.1.2, and replies will go to 10.1.1.2. I would advise to go through routing though, since NAT will require additional resources on VPN box for connection tracker

PFSense VPN Routing

Traffic must match your SPD local and remote subnets to go across IPsec. Easiest is put your OpenVPN subnet within the IPseec local subnet of the site where the OpenVPN server resides. Also need to push appropriate routes to the OpenVPN client. That's all covered in detail in http://pfsense.org/book