Results 1 to 9 of 9
  1. #1
    Newbie
    Join Date
    Dec 2020
    Posts
    12

    Question Missing route for OpenVPN clients through OpenVPN site-to-site tunnel

    Hi,

    I have a network diagram like in the picture:

    2021-10-22 13_58_24-Window.png

    Everything is working perfectly between point 2 and 3 and between point 1 and 2.

    However, there is no traffic between 1(mobile) and 3.

    Is there some manual tweaks to handle ?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    You need to export 3's network on 2's Untangle.

    OpenVPN -> Settings -> Server -> Exported Networks.

    If it's not exported... it's not accessible. While you're at it you might want to export your OpenVPN address pool range too, if you ever want to be able to access the clients themselves over the VPN from the protected networks.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Dec 2020
    Posts
    12

    Default

    Thank you for your reply.

    The 3-rd subnet(located on pfsense) already been present in exported list on UT. However that didn't helped.

    Do I need to reinstall the ovpn on 1 device after modify the exports ?

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    No, routes are pushed.

    You can verify this with the route print command on the connected client, it should have a route for that remote IP range.

    The exports create the list of routes pushed to the clients, as well as grant access.

    Another thing to check, that remote client? What is its IP address? You cannot duplicate addresses, so if the networks behind router 1 or 2 are the same as what the client is using itself... whatever is overlapping won't work.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Dec 2020
    Posts
    12

    Default

    The current pfsense status is like:
    murgeni.ddns.com - Status_ OpenVPN.png
    and config:
    murgeni.ddns.com - VPN_ OpenVPN_ Clients_ Edit.png

    The exports on UT:
    Untangle.png

    The tunnel is using different subnets on UT and pfsense. Also, the pfsense subnet is different than the ones located on UT.

    Should I add in export list for the tunnel ip from pfsense ?

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    That's fine, and the IP range of the road warrior client? The network it is sitting on cannot over lap either.

    You may need to export on the PFSense too... But the fact that the site-to-site works seems to say otherwise.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Dec 2020
    Posts
    12

    Default

    The pfsense is in the same subnet with the clients...
    connectedClients.png

    And the server is like:

    ConkfigurationCkient.png

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    Of course it is!

    PFSense is just a VPN client connecting to the Untangle OpenVPN Server is it not?

    The client IP you need to check is the REAL IP ADDRESS the OpenVPN client that DOES NOT WORK OVER THE TUNNEL is connecting with. I'm not talking about that client's OpenVPN provided address, I'm talking about its REAL IP ADDRESS IT USES WITHOUT ANY VPN. The one you get on that laptop when you run ipconfig on it.

    That address matters... it CANNOT BE in the same IP range as ANY of your networks listed here. This is why I do NOT recommend using 192.168.ANYTHING in a commercial network. It simply leads to problems.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Newbie
    Join Date
    Dec 2020
    Posts
    12

    Default

    Yes, the pfsense is a vpn client(type network), for UT.

    I spent some time on this and I still don't have a solution. Do I need to improve something into this setup, other than using different subnets ? Why is it wrong to use 192.168.x.x in internal setups ? Will this fix my setup problem, or is it a limitation for OpenVPN, regarding this site-to-site setup ?

    For now , I've added a vpn server on pfsense. Is not pretty, but does the job.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2