Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OPNSense OpenVPN access both sites via Remote Access?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OPNSense OpenVPN access both sites via Remote Access?

Dear,

I have been playing with OPNSense and very charmed by it. But I still can’t use it in production because I can’t get one thing to work:

Basically I have two networks (each at it’s own server. Both servers have their own networks). So I want Network A (10.10.12.0/24) connected to Network B (10.10.11.0/24). Therefore I succesfully used the Site 2 Site PreShared Key configuration.

At both ends in the LANs I could ping the other LAN. So far, so good.

But now I am at home and also want to be able to ping both 10.10.11.0/24 and 10.10.12.0/24. I’ve set up a second OpenVPN Server (Remote Access). I do have internet acces and can ping the gateway of 10.10.12.1 (this is the server that I installed OpenVPN Remote Acces on). But I can NOT ping 10.10.11.0/24.

What am I missing? I even disabled both firewalls and it still didn’t work. What should I do?

Thank you,
Dennis

«1

Comments

  • coolgoolecoolgoole Barred
    edited December 2020

    <3 <3 <3

  • DennisdeWitDennisdeWit Member
    edited December 2020

    @coolgoole said:
    You are a good man
    Hope someone can help you

    Sorry, but are you planning on applying for a Provider Tag or so? Because this reply wasn’t really helpful. Not to be rude, but mostly when someone makes these replies, it ends badly.

  • @DennisdeWit said:

    @coolgoole said:
    You are a good man
    Hope someone can help you

    Sorry, but are you planning on applying for a Provider Tag or so? Because this reply wasn’t really helpful. Not to be rude, but mostly when someone makes these replies, it ends badly.

    Sorry
    I just thought of you helping me that day.
    If it is offensive to you, I will delete it.

  • HarambeHarambe Member, Host Rep

    @DennisdeWit Try a firewall rule to accept traffic from your OpenVPN access IP range towards your LAN net - so allow source: ovpn.as.ran.ge/24 to: LAN net. Once the AS range can get on LAN you should be good for the site-to-site too since it already sounds like that route is working.

  • @Harambe said:
    @DennisdeWit Try a firewall rule to accept traffic from your OpenVPN access IP range towards your LAN net - so allow source: ovpn.as.ran.ge/24 to: LAN net. Once the AS range can get on LAN you should be good for the site-to-site too since it already sounds like that route is working.

    Will try that, thanks! For the time being I use Untangle, but their GUI is not the best. I like OPNSense better. But for sure will give it a try again. Why not? Always here to learn and I hate giving up. ;)

  • HarambeHarambe Member, Host Rep

    @DennisdeWit said:

    @Harambe said:
    @DennisdeWit Try a firewall rule to accept traffic from your OpenVPN access IP range towards your LAN net - so allow source: ovpn.as.ran.ge/24 to: LAN net. Once the AS range can get on LAN you should be good for the site-to-site too since it already sounds like that route is working.

    Will try that, thanks! For the time being I use Untangle, but their GUI is not the best. I like OPNSense better. But for sure will give it a try again. Why not? Always here to learn and I hate giving up. ;)

    Hope that works. I switched my setup otherwise I'd give you some more config details. Right now I have a VM running Wireguard on the LAN of one location and then I just port forward for that, so I end up right on the LAN which has the site-to-site routes. Getting better speeds with Wireguard compared to OVPN.

  • have you applied route on both site?

  • @blackhiden said:
    have you applied route on both site?

    Which route should I make, exactly? Route it over the OpenVPN Tunnel GW?

  • blackhidenblackhiden Member
    edited December 2020

    @DennisdeWit said:

    @blackhiden said:
    have you applied route on both site?

    Which route should I make, exactly? Route it over the OpenVPN Tunnel GW?

    do you redirect all your home PC traffic to openvpn gw?

  • @blackhiden said:

    @DennisdeWit said:

    @blackhiden said:
    have you applied route on both site?

    Which route should I make, exactly? Route it over the OpenVPN Tunnel GW?

    do you redirect all your home PC traffic to openvpn gw?

    No. I don’t. This would cost too much data and I don’t need it. I just want to keep my own connection and make some SMB connections and such. :)

  • is your topology just like this?
    (sorry for my bad drawing)

  • if your PC has default route via 10.10.12.1, then the matter is firewall.

  • @blackhiden said:

    is your topology just like this?
    (sorry for my bad drawing)

    My Home PC is connected to the server with range 10.10.12.0/24 by OpenVPN Remote Access

    Server 1 (10.10.12.0/24) is site to site connected to server 2 (10.10.11.0/24). Both servers can ping each other, just like all of my LAN clients on both server 1 and server 2.

    I just can’t ping 10.10.11.0/24 from my HomePC. But I can ping 10.10.12.0/24 just fine, as that is the server which my Home PC is connected with. I also want to be able to ping 10.10.11.0/24. Even turning off all the firewalls (pfctl -d) didn’t work. So I guess it is a routing issue?

  • I still don't get it. Because you're using same IP block either on your remote access or server 1.
    would you like to draw it?

  • Basically it is like this

  • @DennisdeWit said:
    Basically it is like this

    try to add route on your home PC: 10.10.11.0/24 via 10.10.12.1
    and use traceroute instead of ping.

  • DennisdeWitDennisdeWit Member
    edited December 2020

    Spent yet another 2 hours messing with stuff I don't understand.

    I can't even ping 10.10.0.2 (server B). But I can ping 10.10.0.1 from my Home PC. OPNSense really is some fucked up shit that nobody understands.

    @Harambe: any idea's?

  • Ping me> @DennisdeWit said:

    Spent yet another 2 hours messing with stuff I don't understand.

    I can't even ping 10.10.0.2 (server B). But I can ping 10.10.0.1 from my Home PC. OPNSense really is some fucked up shit that nobody understands.

    I can take a look if you want help ?

  • @simonindia said:
    Ping me> @DennisdeWit said:

    Spent yet another 2 hours messing with stuff I don't understand.

    I can't even ping 10.10.0.2 (server B). But I can ping 10.10.0.1 from my Home PC. OPNSense really is some fucked up shit that nobody understands.

    I can take a look if you want help ?

    Currently, my whole connection is messed up. I will reinstall both VM's and send you a DM.

  • Sure.

  • @simonindia said:
    Sure.

    Sent you a DM!

  • Amazing! @simonindia fixed the problem and explained me what I needed to do via Skype. Thank you for your help!

  • Update the solution here and I think this thread should be marked as "solved"

  • DennisdeWitDennisdeWit Member
    edited December 2020

    Ok. He added 10.10.11.0/24 to the “IPv4 Local Networks” area in the OpenVPN Remote Access Server settings.

    How do I mark this as solved?

  • @blackhiden said:

    @DennisdeWit said:
    Basically it is like this

    try to add route on your home PC: 10.10.11.0/24 via 10.10.12.1
    and use traceroute instead of ping.

    is that shadow your flaccid pp?

  • close the thread maybe

  • @SirFoxy No. Those are my skew hands. Thank you, rheumatic disease.

  • Woops! I accidentally loaded the wrong profile of the Untangle server that already was working. Still not solved. :-(

  • blackhidenblackhiden Member
    edited December 2020

    Does your vm have 2 openvpn instance? like tun/24 and tun/32
    You said A and B are site to site vpn, home pc and server remote access

  • @blackhiden said:
    Does your vm have 2 openvpn instance? like tun/24 and tun/32
    You said A and B are site to site vpn, home pc and server remote server.

    Yes. Gateway2 has 2 OpenVPN Instances

    • Port 1194 (Site to site, tunnel 10.10.0.0/24)
    • Port 1195 (Remote Access Server Mode, tunnel 10.20.0.0/24)

    All the VM’s at both networks can ping each other (so 10.10.12.1 responds on the 10.10.11.0/24 network and vice versa)

    When I am connected with Remote Access Server via my MacBook Pro at home, I can ping the 10.10.12.0/24 network (this is normal, because this subnet is the LAN of the server where the Remote Access Server is running on). Just not the 10.10.11.0/24 network.

Sign In or Register to comment.