Including another NIC on the client side (dev tun)

This forum is for general conversation and user-user networking.
Post Reply
JPelletier
OpenVpn Newbie
Posts: 2
Joined: Wed Sep 21, 2022 2:06 pm

Including another NIC on the client side (dev tun)

Post by JPelletier » Wed Sep 21, 2022 2:33 pm

Hi,

I'm a software programmer and not familiar with advanced network routing, I tried to follow community resources but still can't get my setup to work, here is my setup:

Office Network
PFSense
Open VPN Server configured:
  • Server mode: Remote Access (SSL/TLS)
  • Device mode: tun
  • Tunnel network: 172.21.20.0/24
  • Custom options:

    Code: Select all

    route 192.168.222.0 255.255.255.0;
    push "route 192.168.222.0 255.255.255.0";
    client-to-client;
  • Client Specific Overrides (for Client A):

    Code: Select all

    iroute 192.168.222.0 255.255.255.0;
Client Network
Client A
Ubuntu server with 2 NICs (one physical, one usb).
  • enp3s0 (physical): Static IP 192.168.222.2, connected directly to a Siemen PLC (also static IP, no router here)
  • enx* (usb dongle): 192.168.1.60, configured DHCP on local network with internet.
  • tun0 (openvpn ip): 172.21.20.2
Siemens PLC
  • Static IP: 192.168.222.223, connected directly to the physical ethernet enp3s0 of the client above (no router, all static ips)
Other clients Network
Client B
Any computer connected to VPN, in my case a Technician with a laptop
  • VPN IP: 172.21.20.2
From Client B, I'm able to ping 192.168.222.2 (Client A static IP) but can't ping 192.168.222.223. Here is tcp dump logs from Client A:

Code: Select all

10:30:06.117494 ip: 172.21.20.2 > 192.168.222.223: ICMP echo request, id 1, seq 4802, length 40
10:30:09.193062 ip: 172.21.20.3 > 172.21.20.2: ICMP host 192.168.222.223 unreachable, length 68
I tried to change my routes from 192.168.222.0 to 192.168.1.0 in openvpn configurations for testing, and I'm able to ping all computers on Client A 192.168.1.0/24 network. What am I missing here? iptables rules on Client A to forward traffic to the other NIC ? I tried many stuff but not really know what I'm doing here :)

User avatar
ordex
OpenVPN Inc.
Posts: 331
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Including another NIC on the client side (dev tun)

Post by ordex » Wed Sep 21, 2022 6:55 pm

Hi! This is basically a routing problem, not directly related to OpenVPN.
[I think there is a typ0 because you wrote that both client A and B have the same VPN IP (172.21.20.2). I presume one of those has .3]

This said, you have two networks (172.21.20.0/24 and 192.168.222.0/24) with a host between them. This host must act as a router.
This means:
* ip forwarding should be enabled;
* packet forwarding should no the blocked by the firewall;
* both networks must use this host as nexthop towards each other.

From the ICMP message you are getting I am presuming it is 1) or 2).
As first step you should check the output of `sysctl net.ipv4.ip_forward` and also check the firewall.

User avatar
Pippin
Forum Team
Posts: 1091
Joined: Wed Jul 01, 2015 8:03 am
Location: /dev/null

Re: Including another NIC on the client side (dev tun)

Post by Pippin » Wed Sep 21, 2022 6:56 pm

Hi,

You are using pfSense, you probably will have more success on Netgate forums also because it's using a WebGUI:
https://forum.netgate.com/category/34/openvpn
Docs:
https://docs.netgate.com/pfsense/en/lat ... index.html
.
The custom options are not necessary, the GUI has fields/tick boxes that do the "magic".
That is the case for the Server and for the Client export.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

JPelletier
OpenVpn Newbie
Posts: 2
Joined: Wed Sep 21, 2022 2:06 pm

Re: Including another NIC on the client side (dev tun)

Post by JPelletier » Wed Sep 21, 2022 8:20 pm

Ok thanks guys, I'm running a old version of PFSense and some options are missing. Will upgrade to latest version and will ask on netgate forum if I still have issue.

Post Reply