OpenVPN remote networks not pushed to main routing table

[nothing]

Sorry, but incomplete screenshots are useless, really, it's always a small detail.

Here are the main/crypto too. So that all configuration options are available.

[nothing]

err

[nothing]

err

[Gauss23]

I don't use "Use topology" in my site2site config.

And I think you should add the remote networks in the main server as two seperate entries

What does your routing table look like when the clients are connected?

[mimugmail]

- Mode Peer 2 Peer is for single Site 2 Site
- Single S2S needs local and remote
- Remote Access allows multiple S2S but separation via CSC
- Dont use Tunnel network inside local or remote

[nothing]

That's the OS routing table:

Code Select Expand

# netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            78.130.196.1       UGS    em0_vlan
-.-.-.0/24    link#6             U      em0_vlan
-.-.-.15      link#6             UHS         lo0
127.0.0.1          link#3             UH          lo0
192.168.1.0/24     link#1             U           em0
192.168.1.1        link#1             UHS         lo0
192.168.255.0/24    172.16.255.2       UGS      ovpns1
192.168.255.1       link#8             UHS         lo0
192.168.255.2       link#8             UH       ovpns1

Third from the bottom is suspicious. It should not exist at all since that's the openvpn pool subnet.

If I add both 10/24 and 20/24 subnets (separated by comma) to the main openvpn configuration they both get routed to the first client to connect, no matter what client specific network I have for each client/site.

[Gauss23]

- Mode Peer 2 Peer is for single Site 2 Site
- Single S2S needs local and remote
- Remote Access allows multiple S2S but separation via CSC
- Dont use Tunnel network inside local or remote

Thanks for bringing that up. That was new to me. Perfect hint.

So he just needs either 2 site-2-site OpenVPN servers or one with remote-access with CSO/CSC for site-2-site. Right?

[nothing]

I give up and started from beginning. One OpenVPN instance for remote access, second instance for site to site.

Do I have to see files in /var/etc/openvpn-csc for each client? I have client specific configurations in the GUI, but I see no config files produced on the file system.

[nothing]

I think it fails at ovpn_setup_cso.php:

Code Select Expand

if (!empty($all_cso[$vpnid][$common_name])) {
$common_name is empty.

[mimugmail]

Current screenshots when you started over ...

[nothing]

Current screenshots when you started over ...

Here they are.

[nothing]

And some more...

[Gauss23]

I give up and started from beginning. One OpenVPN instance for remote access, second instance for site to site.

Do I have to see files in /var/etc/openvpn-csc for each client? I have client specific configurations in the GUI, but I see no config files produced on the file system.

Unfortunately you seem to have missed:

- Mode Peer 2 Peer is for single Site 2 Site
- Single S2S needs local and remote
- Remote Access allows multiple S2S but separation via CSC
- Dont use Tunnel network inside local or remote

Because you created again a Peer-to-Peer server. CSC/CSO is not needed here because it is for a single connection.

CSO/CSC is only for Remote-Access as far as I understood mimugmail.

So either you create two seperate Peer-to-Peer OpenVPN servers (on different ports for example) or you try setting up a remote access server with CSO for two site-to-site connections.

[nothing]

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
Here is what i've just found. Those guys seems to have it the official docs.

[nothing]

- Dont use Tunnel network inside local or remote

If I understand this corectly site to multisite is not possible since the sites will have routing only to center gateway, but not to other sites?!