"
Answering my own post from June 2024, because I finally cracked this puzzle during my second migration attempt!
What was missing turned out to be hilariously simple: the push_route directive in OpenVPN configuration. I initially dismissed this option, convinced that the proper "enterprise" way was to handle this through firewall rules and NAT magic. Oh, how wrong I was!
After diving into the XML backup (because who doesn't love reading XML for fun?), I discovered that the push_route directive only contained the network where OPNsense was acting as the router. The solution? I added the other two sites' networks, and to my absolute amazement, they appeared in the GUI after importing as... wait for it... "Local Networks"!
Yes, the same "Local Networks" option that I was absolutely certain only referred to networks directly connected to OpenVPN/OPNsense. Talk about a misleading name! For those technically inclined, this setting actually generates the appropriate push_route directives in the OpenVPN configuration, enabling proper routing between VPN clients and all remote networks.
The moral of the story? Sometimes the solution isn't in adding more complex firewall rules or NAT configurations - it's in understanding that "Local Networks" isn't so local after all. Who would've thought?
For reference, the configuration that fixed everything was simply adding networks 10.2.78.0/24 and 10.3.78.0/24 to the OpenVPN instance's "Local Networks" field. This automatically generated the necessary push_route directives, and suddenly all the VPN clients could reach every network as if by magic (but actually by proper routing).
Remember folks: when in doubt, check your push_routes, and don't let naming conventions fool you!
What was missing turned out to be hilariously simple: the push_route directive in OpenVPN configuration. I initially dismissed this option, convinced that the proper "enterprise" way was to handle this through firewall rules and NAT magic. Oh, how wrong I was!
After diving into the XML backup (because who doesn't love reading XML for fun?), I discovered that the push_route directive only contained the network where OPNsense was acting as the router. The solution? I added the other two sites' networks, and to my absolute amazement, they appeared in the GUI after importing as... wait for it... "Local Networks"!
Yes, the same "Local Networks" option that I was absolutely certain only referred to networks directly connected to OpenVPN/OPNsense. Talk about a misleading name! For those technically inclined, this setting actually generates the appropriate push_route directives in the OpenVPN configuration, enabling proper routing between VPN clients and all remote networks.
The moral of the story? Sometimes the solution isn't in adding more complex firewall rules or NAT configurations - it's in understanding that "Local Networks" isn't so local after all. Who would've thought?
For reference, the configuration that fixed everything was simply adding networks 10.2.78.0/24 and 10.3.78.0/24 to the OpenVPN instance's "Local Networks" field. This automatically generated the necessary push_route directives, and suddenly all the VPN clients could reach every network as if by magic (but actually by proper routing).
Remember folks: when in doubt, check your push_routes, and don't let naming conventions fool you!
