Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
OPNSense OpenVPN access both sites via Remote Access?
New on LowEndTalk? Please Register and read our Community Rules.

OPNSense OpenVPN access both sites via Remote Access?

Dear,

I have been playing with OPNSense and very charmed by it. But I still can’t use it in production because I can’t get one thing to work:

Basically I have two networks (each at it’s own server. Both servers have their own networks). So I want Network A (10.10.12.0/24) connected to Network B (10.10.11.0/24). Therefore I succesfully used the Site 2 Site PreShared Key configuration.

At both ends in the LANs I could ping the other LAN. So far, so good.

But now I am at home and also want to be able to ping both 10.10.11.0/24 and 10.10.12.0/24. I’ve set up a second OpenVPN Server (Remote Access). I do have internet acces and can ping the gateway of 10.10.12.1 (this is the server that I installed OpenVPN Remote Acces on). But I can NOT ping 10.10.11.0/24.

What am I missing? I even disabled both firewalls and it still didn’t work. What should I do?

Thank you,
Dennis

Comments

  • coolgoolecoolgoole Member
    edited December 2020

    <3 <3 <3

  • DennisdeWitDennisdeWit Member
    edited December 2020

    @coolgoole said:
    You are a good man
    Hope someone can help you

    Sorry, but are you planning on applying for a Provider Tag or so? Because this reply wasn’t really helpful. Not to be rude, but mostly when someone makes these replies, it ends badly.

  • @DennisdeWit said:

    @coolgoole said:
    You are a good man
    Hope someone can help you

    Sorry, but are you planning on applying for a Provider Tag or so? Because this reply wasn’t really helpful. Not to be rude, but mostly when someone makes these replies, it ends badly.

    Sorry
    I just thought of you helping me that day.
    If it is offensive to you, I will delete it.

  • @DennisdeWit Try a firewall rule to accept traffic from your OpenVPN access IP range towards your LAN net - so allow source: ovpn.as.ran.ge/24 to: LAN net. Once the AS range can get on LAN you should be good for the site-to-site too since it already sounds like that route is working.

    🐴 $2/mo 512MB KVM - Unmetered bandwidth. $1.25 for 256GB Block Storage - from BuyVM (aff)

  • @Harambe said:
    @DennisdeWit Try a firewall rule to accept traffic from your OpenVPN access IP range towards your LAN net - so allow source: ovpn.as.ran.ge/24 to: LAN net. Once the AS range can get on LAN you should be good for the site-to-site too since it already sounds like that route is working.

    Will try that, thanks! For the time being I use Untangle, but their GUI is not the best. I like OPNSense better. But for sure will give it a try again. Why not? Always here to learn and I hate giving up. ;)

  • @DennisdeWit said:

    @Harambe said:
    @DennisdeWit Try a firewall rule to accept traffic from your OpenVPN access IP range towards your LAN net - so allow source: ovpn.as.ran.ge/24 to: LAN net. Once the AS range can get on LAN you should be good for the site-to-site too since it already sounds like that route is working.

    Will try that, thanks! For the time being I use Untangle, but their GUI is not the best. I like OPNSense better. But for sure will give it a try again. Why not? Always here to learn and I hate giving up. ;)

    Hope that works. I switched my setup otherwise I'd give you some more config details. Right now I have a VM running Wireguard on the LAN of one location and then I just port forward for that, so I end up right on the LAN which has the site-to-site routes. Getting better speeds with Wireguard compared to OVPN.

    🐴 $2/mo 512MB KVM - Unmetered bandwidth. $1.25 for 256GB Block Storage - from BuyVM (aff)

  • have you applied route on both site?

  • @blackhiden said:
    have you applied route on both site?

    Which route should I make, exactly? Route it over the OpenVPN Tunnel GW?

  • blackhidenblackhiden Member
    edited December 2020

    @DennisdeWit said:

    @blackhiden said:
    have you applied route on both site?

    Which route should I make, exactly? Route it over the OpenVPN Tunnel GW?

    do you redirect all your home PC traffic to openvpn gw?

  • @blackhiden said:

    @DennisdeWit said:

    @blackhiden said:
    have you applied route on both site?

    Which route should I make, exactly? Route it over the OpenVPN Tunnel GW?

    do you redirect all your home PC traffic to openvpn gw?

    No. I don’t. This would cost too much data and I don’t need it. I just want to keep my own connection and make some SMB connections and such. :)

  • is your topology just like this?
    (sorry for my bad drawing)

  • if your PC has default route via 10.10.12.1, then the matter is firewall.

  • @blackhiden said:

    is your topology just like this?
    (sorry for my bad drawing)

    My Home PC is connected to the server with range 10.10.12.0/24 by OpenVPN Remote Access

    Server 1 (10.10.12.0/24) is site to site connected to server 2 (10.10.11.0/24). Both servers can ping each other, just like all of my LAN clients on both server 1 and server 2.

    I just can’t ping 10.10.11.0/24 from my HomePC. But I can ping 10.10.12.0/24 just fine, as that is the server which my Home PC is connected with. I also want to be able to ping 10.10.11.0/24. Even turning off all the firewalls (pfctl -d) didn’t work. So I guess it is a routing issue?

  • I still don't get it. Because you're using same IP block either on your remote access or server 1.
    would you like to draw it?

  • Basically it is like this

  • @DennisdeWit said:
    Basically it is like this

    try to add route on your home PC: 10.10.11.0/24 via 10.10.12.1
    and use traceroute instead of ping.

  • DennisdeWitDennisdeWit Member
    edited December 2020

    Spent yet another 2 hours messing with stuff I don't understand.

    I can't even ping 10.10.0.2 (server B). But I can ping 10.10.0.1 from my Home PC. OPNSense really is some fucked up shit that nobody understands.

    @Harambe: any idea's?

  • Ping me> @DennisdeWit said:

    Spent yet another 2 hours messing with stuff I don't understand.

    I can't even ping 10.10.0.2 (server B). But I can ping 10.10.0.1 from my Home PC. OPNSense really is some fucked up shit that nobody understands.

    I can take a look if you want help ?

    Make your choice on your own But i can help you to make them right.

  • @simonindia said:
    Ping me> @DennisdeWit said:

    Spent yet another 2 hours messing with stuff I don't understand.

    I can't even ping 10.10.0.2 (server B). But I can ping 10.10.0.1 from my Home PC. OPNSense really is some fucked up shit that nobody understands.

    I can take a look if you want help ?

    Currently, my whole connection is messed up. I will reinstall both VM's and send you a DM.

  • Sure.

    Make your choice on your own But i can help you to make them right.

  • @simonindia said:
    Sure.

    Sent you a DM!

  • Amazing! @simonindia fixed the problem and explained me what I needed to do via Skype. Thank you for your help!

  • Update the solution here and I think this thread should be marked as "solved"

  • DennisdeWitDennisdeWit Member
    edited December 2020

    Ok. He added 10.10.11.0/24 to the “IPv4 Local Networks” area in the OpenVPN Remote Access Server settings.

    How do I mark this as solved?

  • @blackhiden said:

    @DennisdeWit said:
    Basically it is like this

    try to add route on your home PC: 10.10.11.0/24 via 10.10.12.1
    and use traceroute instead of ping.

    is that shadow your flaccid pp?

    lurking in the shadows like a wombat or some shit

  • close the thread maybe

  • @SirFoxy No. Those are my skew hands. Thank you, rheumatic disease.

  • Woops! I accidentally loaded the wrong profile of the Untangle server that already was working. Still not solved. :-(

  • blackhidenblackhiden Member
    edited December 2020

    Does your vm have 2 openvpn instance? like tun/24 and tun/32
    You said A and B are site to site vpn, home pc and server remote access

  • @blackhiden said:
    Does your vm have 2 openvpn instance? like tun/24 and tun/32
    You said A and B are site to site vpn, home pc and server remote server.

    Yes. Gateway2 has 2 OpenVPN Instances

    • Port 1194 (Site to site, tunnel 10.10.0.0/24)
    • Port 1195 (Remote Access Server Mode, tunnel 10.20.0.0/24)

    All the VM’s at both networks can ping each other (so 10.10.12.1 responds on the 10.10.11.0/24 network and vice versa)

    When I am connected with Remote Access Server via my MacBook Pro at home, I can ping the 10.10.12.0/24 network (this is normal, because this subnet is the LAN of the server where the Remote Access Server is running on). Just not the 10.10.11.0/24 network.

  • how about using an instance and subnet topology?
    we can attach ccd + push route config so your machines route automatically.
    always works for me.

  • DennisdeWitDennisdeWit Member
    edited December 2020

    The problem is, I also can not ping 10.10.0.2, the other side of the tunnel on my MacBook.

  • I just made one OpenVPN Server (Remote Access SSL/TLS) and connected on Site B the client via Peer to Peer (SSL/TLS).

    From site B I can ping 10.10.11.1 (gateway) and 10.10.12.1 (Site A)

    From Site A I can ping 10.10.12.1 (gateway) but not 10.10.11.1 (site B). So the problem must be with site B. Any ideas?

Sign In or Register to comment.