Hello,
I have configured a "Peer-to-Peer" OpenVPN connection between Site A where a OPNsense 16.7 is acting as the VPN server and Site B where a Debian machine acts as the VPN client.
My final goal is that the Debian machine acts as a gateway for any machine residing in Debian's LAN and wants to access a machine residing on the OPNsense's LAN (and vice-versa).
Here is a schema of the desired networks
⁞ ⁞
Site A Site B
10.1.0.0/16 ⁞ ⁞ 10.2.0.0/16
┌──────────┐ ⁞ ⁞ ┌────────┐
│ OPNsense •-----►( Internet )◄-----• Site B │
│ (OpenVPN │ ⁞ ⁞ │ router │
│ server) │ └─•──────┘
└────────•─┘ ⁞ ⁞ |10.2.0.1
10.1.0.1| |
(192.168.9.1)| ⁞ ⁞ | ┌───────────────┐
| ├--------------• Debian server │
┌────────────┐ | ⁞ ⁞ | 10.2.0.2│ (OpenVPN │
│ Station A1 •--┤ | (192.168.9.2)│ client) │
└────────────┘ | ⁞ ⁞ | └───────────────┘
| | ┌────────────┐
┌────────────┐ | ⁞ ⁞ ├--• Station B1 │
│ Station A2 •--┤ | └────────────┘
└────────────┘ | ⁞ ⁞ |
| | ┌────────────┐
| ⁞ ⁞ ├--• Station B2 │
| | └────────────┘
| ⁞ VPN network ⁞ |
├~~~~~~~~~~~~~~~~~~~~~~~~~~~~┤
⁞ 192.168.9.0/30 ⁞ |
⁞ ⁞
OpenVPN configuration (on OPNsense):
- Server Mode: Peer to Peer
- Protocol: UDP
- Device Mode: tun
- IPv4 Tunnel Network: 192.168.9.0/30
- IPv4 Local Network: 10.1.0.0/16 (the LAN of Site A / OPNsense side)
- IPv4 Remote Network: 10.2.0.0/16 (the LAN of Site B / Debian server side)
- Client Settings>Dynamic IP: checked
- Client Settings>Address Pool: checked
- Client Settings>Topology: checked
Once client connects, both ends have the following IP addresses in the tunnel network:
*
OPNsense: 192.168.9.1/30
*
Debian server: 192.168.9.2/30
All Stations uses their respective router as their main gateway.
Clients
A1 and
A2 uses 10.1.0.1 (
OPNsense)
Clients
B1,
B2 and
Debian server uses 10.2.0.1 (
Site B router)
On Debian I have enabled IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forwardOn
Site B router (10.2.0.1), I have added a static route to 10.1.0.0/16 (Site A's LAN) via 10.2.0.2 (Debian server)
From both
OPNense and
Debian server I can ping each other using 192.168.9.x/30 (tunnel network)
From
Debian server, I can ping and access (eg. HTTP) any IP address belonging to 10.1.0.0/16.
From
OPNense, I can't ping Debian server using it's 10.2.0.2 IP address (
problem number 1) nor any other IP belonging to 10.2.0.0/16 (
problem number 2).
From
Station B1, a
traceroute shows that traffic to 10.1.0.0/16 uses 10.2.0.1 (
Site B router , but traffic does not reach it's destination (
problem number 3).
For problem number 1:
I guess I have to add a route on
OPNsense because I can't see any route for 10.2.0.0/16 on the OPNsense web GUI "System Routing Table" (/ui/diagnostics/interface/routes/).
To add such route, a gateway is required, so I must also create that gateway.
But on which interface should this gateway be?
I have "pending" new interface "ovpns1" in "Interfaces: Assignments" (/interfaces_assign.php) but don't know if I can/should assign it.
Thanks for your help.
Edit: Added a map and color.
Try to add a Client exception with the remote subnet readded as already done within the server settings.
Edit: If this is possible with version 16. I only "know" version 17