2nd OpnVPN Client-to-site server make 1rst OpnVPN Site-to-Site not routing

Started by matthewdu92, August 07, 2021, 09:32:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 07, 2021, 09:32:22 PM Last Edit: August 07, 2021, 09:34:07 PM by matthewdu92
Hi there

I have an issue in building a second Client to site VPN on an Opnsense where a Site to site vpn server already exists.

In the map attached you can see the actual infrastructure.

Site to Site work like a charm and I can reach the "WIN2" machine from the "WIN1" machine (Ping and RDP)

If I create a second VPN server for users to connect, on a different acces port 1195 and I just enable IT (no need to mount any tunnel :
- I can mount the connection from public to RT1
- 1rst VPN S2S connection do not fall 


but the issue is that I cannot reach the 192.168.60.0 network any more after from WIN1 machine (no ping no RDP)
With 2nd VPN server connection, I can reach only WIN1 and RT1 but nor  192.168.60.0 .

At the point where I just disable it (with the Play button), all thing are getting well as before.

Any idea with this key things ? I can give you more info if needed
August 18, 2021, 10:08:09 PM #1 Last Edit: August 18, 2021, 10:12:22 PM by evilgenius
Hi,

the  IPv4 Tunnel Network should be 192.168.1.0/30... than you have max to hosts in the network (192.168.1.1 and 192.168.1.2). Than you can push routes for both sides

Datacenter (192.168.0.0/24) example:
Code Select

dev ovpns5
verb 3
dev-type tun
dev-node /dev/tun5
writepid /var/run/openvpn_server5.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.181.20
tls-server
ifconfig 192.168.1.1 192.168.1.2
tls-verify "deleted"
lport 1198
management /var/etc/openvpn/server5.sock unix
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"

Client side:
push "route 192.168.0.0 255.255.255.0"

and on the client side the way back. Also have in mind to create firewall rules.

For the second tunnel you can use next /30 netmask 192.168.1.5 - 192.168.1.6 192.168.1.4/30...
If you choose /24 in your example it didn't work because the client get an dynamic adresse...

Br Andreas
Print
Go Up Pages1
User actions