Hello
We have 2 Opnsense
OP1 for Service
OP2 for access
OP1
LAN OP1 10.200.100.1
L2L 172.50.100.10 > Gateway 172.50.100.20
Route 10.210.10.0/24 > 172.50.100.20
OP2
LAN OP2 10.210.10.1
L2L 172.50.100.20 > Gateway 172.50.100.10
Route 10.200.100.0/24 > 172.50.100.10
Work perfectly between LANs
LAN OP1 <> LAN OP2
When client are connected to VPN on OP2
They got an ip inside 172.21.10.0/24
IPv4 local network are 10.210.10.0/24 (LANOP2) and 10.200.100.1 (LANOP1)
They can ping OP2 perfectly
Can't ping OP1
OP1 client are unable to ping OP2 VPN Client
What am I missing ?
What route should I do ?
Thanks to you all
What kind of VPN?
oups
OpenVPN - user one no site to site
Have you set up all the routes as needed?
Quote from: stanthewizzard on June 13, 2022, 02:06:31 PM
Hello
We have 2 Opnsense
OP1 for Service
OP2 for access
OP1
LAN OP1 10.200.100.1
L2L 172.50.100.10 > Gateway 172.50.100.20
Route 10.210.10.0/24 > 172.50.100.20
OP2
LAN OP2 10.210.10.1
L2L 172.50.100.20 > Gateway 172.50.100.10
Route 10.200.100.0/24 > 172.50.100.10
Work perfectly between LANs
LAN OP1 <> LAN OP2
When client are connected to VPN on OP2
They got an ip inside 172.21.10.0/24
IPv4 local network are 10.210.10.0/24 (LANOP2) and 10.200.100.1 (LANOP1)
They can ping OP2 perfectly
Can't ping OP1
OP1 client are unable to ping OP2 VPN Client
What am I missing ?
What route should I do ?
Thanks to you all
Set 10.200.100.0 and the VPN tunnel network as a local network in OP2 OpenVPN config.
Local networks should be all subnets you want the clients to connect to from the VPN connection.
Already tried
doesn't works
:(
Post pics of the configs.
you are just missing a route on OP1
OP1 doesn't know where it should look for your VPN-Network 172.21.10.0/24
so it tries to connect via the default route (probably your WAN connection)
OP2 does know it, because you have configured it there. (so a local network)
All you have to add is another route on OP1:
172.21.10.0/24 via 172.50.100.20
and now everyone on OP1 knows where it should look for the VPN-network :)
edit
oh... also you need to push your route to the OP1LAN to the VPN, if you don't push all your traffic through the VPN. (if you push 0.0.0.0/0 to your VPN clients, you can ommit this route, because it's already added implicit)
VPN -> OP1-LAN is what was Demusman mentioned.
Its ALIVE
Thanks @wedge1001
I am trying to resolve the same type of issue.
OPNsense 22.1.8_1
OpenVPN - split tunnel
Remote OpenVPN clients not point-to-point.
Have no problems connecting and working on the initial LAN segment behind OPNsense/OpenVPN. I have added new segments that the VPN clients cannot reach. Each of these segments are directly connected to the OPNsense box using a different interface per segment.
new LAN segments - 10.18.91.0/24 and 10.18.92.0/24
VPN clients pool - 10.18.15.0/24
I added
push "route 10.18.91.0 255.255.255.255.0" and
push "route 10.18.92.0 255.255.255.0"
to the "advanced" section of the VPN:OpenVPN:Servers config page in OPNsense and can see the routes added on a connected Windows box.
@wedge1001 also stated to add another server side route(s) so the new segments know how to reply back.
Where are these routes added? Under System:Routes:Status, there is already an entry for a route with the destination network for my VPN clients - 10.18.15.0/24 via gateway 10.18.15.2 using the ovpns1 interface.
What am I missing here?
Thanks in advance.
As I said above, all local networks should be added to the "Local Networks" field of OpenVPN.
No need to "push" the routes anymore.
@Demusman
the field local network is just a place-holder. it will push whatever you add there :)
But yes, it's easier to put it there (expect you have larger numbers of network - then it's really ugly to read)
@runjake:
what's your default-gateway in the new networks?
if it's the OPNsense - you don't need to put anything special to the clients; this was only needed for stan since he added another hop in between.
I suspect missing firewall rules. Did you allow access from the VPN to your new LANs?
Quote from: wedge1001 on June 22, 2022, 09:18:40 AM
@Demusman
the field local network is just a place-holder. it will push whatever you add there :)
Isn't that exactly what I said?? :)