OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: CDuv on November 24, 2016, 06:34:34 pm

Title: Access network behind an OpenVPN client? P2P setup: Need manual route?
Post by: CDuv on November 24, 2016, 06:34:34 pm
Hello,
I have configured a "Peer-to-Peer" OpenVPN connection between Site A where a OPNsense 16.7 is acting as the VPN server and Site B where a Debian machine acts as the VPN client.

My final goal is that the Debian machine acts as a gateway for any machine residing in Debian's LAN and wants to access a machine residing on the OPNsense's LAN (and vice-versa).

Here is a schema of the desired networks


                     ⁞                  ⁞
              Site A                      Site B
         10.1.0.0/16 ⁞                  ⁞ 10.2.0.0/16

       ┌──────────┐  ⁞                  ⁞  ┌────────┐
       │ OPNsense •-----►( Internet )◄-----• Site B │
       │ (OpenVPN │  ⁞                  ⁞  │ router │
       │  server) │                        └─•──────┘
       └────────•─┘  ⁞                  ⁞    |10.2.0.1
        10.1.0.1|                            |
   (192.168.9.1)|    ⁞                  ⁞    |              ┌───────────────┐
                |                            ├--------------• Debian server │
┌────────────┐  |    ⁞                  ⁞    |      10.2.0.2│ (OpenVPN      │
│ Station A1 •--┤                            | (192.168.9.2)│   client)     │
└────────────┘  |    ⁞                  ⁞    |              └───────────────┘
                |                            |  ┌────────────┐
┌────────────┐  |    ⁞                  ⁞    ├--• Station B1 │
│ Station A2 •--┤                            |  └────────────┘
└────────────┘  |    ⁞                  ⁞    |
                |                            |  ┌────────────┐
                |    ⁞                  ⁞    ├--• Station B2 │
                |                            |  └────────────┘
                |    ⁞   VPN network    ⁞    |
                ├~~~~~~~~~~~~~~~~~~~~~~~~~~~~┤
                     ⁞  192.168.9.0/30  ⁞    |
                                       
                     ⁞                  ⁞


OpenVPN configuration (on OPNsense):

Once client connects, both ends have the following IP addresses in the tunnel network:
* OPNsense: 192.168.9.1/30
* Debian server: 192.168.9.2/30

All Stations uses their respective router as their main gateway.
Clients A1 and A2 uses 10.1.0.1 (OPNsense)
Clients B1, B2 and Debian server uses 10.2.0.1 (Site B router)

On Debian I have enabled IP forwarding:
Code: [Select]
echo 1 > /proc/sys/net/ipv4/ip_forwardOn Site B router (10.2.0.1), I have added a static route to 10.1.0.0/16 (Site A's LAN) via 10.2.0.2 (Debian server)

From both OPNense and Debian server I can ping each other using 192.168.9.x/30 (tunnel network)
From Debian server, I can ping and access (eg. HTTP) any IP address belonging to 10.1.0.0/16.
From OPNense, I can't ping Debian server using it's 10.2.0.2 IP address (problem number 1) nor any other IP belonging to 10.2.0.0/16 (problem number 2).
From Station B1, a traceroute shows that traffic to 10.1.0.0/16 uses 10.2.0.1 (Site B router , but traffic does not reach it's destination (problem number 3).

For problem number 1:
I guess I have to add a route on OPNsense because I can't see any route for 10.2.0.0/16 on the OPNsense web GUI "System Routing Table" (/ui/diagnostics/interface/routes/).
To add such route, a gateway is required, so I must also create that gateway.
But on which interface should this gateway be?
I have "pending" new interface "ovpns1" in "Interfaces: Assignments" (/interfaces_assign.php) but don't know if I can/should assign it.

Thanks for your help.

Edit: Added a map and color.
Title: Re: Access network behind an OpenVPN client? P2P setup: Need manual route?
Post by: ErAzOr on May 13, 2017, 01:25:36 pm
hi,

I'm exactly in the same situation.
I'm able to ping from OpenVPN Clients to cloents behind OpenVPN Server. But I'm not able to ping OpenVPN Client from OpenVPN server.

Did you find a solution?
Title: Re: Access network behind an OpenVPN client? P2P setup: Need manual route?
Post by: pingus on May 15, 2017, 02:16:41 pm
Try to add a Client exception with the remote subnet readded as already done within the server settings.

Edit: If this is possible with version 16. I only "know" version 17