OpenVPN Support Forum

Hi,

I'm a software programmer and not familiar with advanced network routing, I tried to follow community resources but still can't get my setup to work, here is my setup:

Office Network
PFSense
Open VPN Server configured:

• Server mode: Remote Access (SSL/TLS)
• Device mode: tun
• Tunnel network: 172.21.20.0/24
• Custom options:

  Code: Select all

  route 192.168.222.0 255.255.255.0;
  push "route 192.168.222.0 255.255.255.0";
  client-to-client;

• Client Specific Overrides (for Client A):

  Code: Select all

  iroute 192.168.222.0 255.255.255.0;

Client Network
Client A
Ubuntu server with 2 NICs (one physical, one usb).

• enp3s0 (physical): Static IP 192.168.222.2, connected directly to a Siemen PLC (also static IP, no router here)
• enx* (usb dongle): 192.168.1.60, configured DHCP on local network with internet.
• tun0 (openvpn ip): 172.21.20.2

Siemens PLC

• Static IP: 192.168.222.223, connected directly to the physical ethernet enp3s0 of the client above (no router, all static ips)

Other clients Network
Client B
Any computer connected to VPN, in my case a Technician with a laptop

• VPN IP: 172.21.20.2

From Client B, I'm able to ping 192.168.222.2 (Client A static IP) but can't ping 192.168.222.223. Here is tcp dump logs from Client A: I tried to change my routes from 192.168.222.0 to 192.168.1.0 in openvpn configurations for testing, and I'm able to ping all computers on Client A 192.168.1.0/24 network. What am I missing here? iptables rules on Client A to forward traffic to the other NIC ? I tried many stuff but not really know what I'm doing here

Hi! This is basically a routing problem, not directly related to OpenVPN.
[I think there is a typ0 because you wrote that both client A and B have the same VPN IP (172.21.20.2). I presume one of those has .3]

This said, you have two networks (172.21.20.0/24 and 192.168.222.0/24) with a host between them. This host must act as a router.
This means:
* ip forwarding should be enabled;
* packet forwarding should no the blocked by the firewall;
* both networks must use this host as nexthop towards each other.

From the ICMP message you are getting I am presuming it is 1) or 2).
As first step you should check the output of `sysctl net.ipv4.ip_forward` and also check the firewall.

Hi,

You are using pfSense, you probably will have more success on Netgate forums also because it's using a WebGUI:
https://forum.netgate.com/category/34/openvpn
Docs:
https://docs.netgate.com/pfsense/en/lat ... index.html
.
The custom options are not necessary, the GUI has fields/tick boxes that do the "magic".
That is the case for the Server and for the Client export.

Ok thanks guys, I'm running a old version of PFSense and some options are missing. Will upgrade to latest version and will ask on netgate forum if I still have issue.