OpenVPN Support Forum

Hello guys, this is my first post.

I am currently using a freebsd router/firewall/openvpn server/client called pfsense to establish a VPN between a server and two clients. pfsense only supports peer to peer client communications, so I am setup using peer to peer where device 1 is a server out on the internet, and device 2 and 3 are clients elsewhere. They are successfully connected and can communicate with the server. My goal is to find a way to route traffic from device 2 to device 3 and vice versa. I am hoping someone has a little experience in a similar situation and can help. I will gladly provide any additional information, go easy on me if i forgot anything important =[


I am testing this all on a LAN right now.

Server:
WAN: 192.168.1.147
LAN: 192.168.10.1/24

Client1:
WAN: 192.168.1.141
LAN: 192.168.20.1/24

Client2:
WAN 192.168.1.144
LAN: 192.168.30.1/24

Devices in the LAN of Client1 and Client2 can ping devices in the Server LAN, however the server cannot ping back. I dont need it to. I need devices in the LAN of Client1 to be able to talk to the devices in the LAN of Client2. The Server is configured for Peer-to-Peer w/ Shared Key. It looks like I need something along the lines of a push and route and iroute but I am not very technical so if someone could explain how to use these accordingly it would be a great help





Thanks guys
digiwolff


Configs:

Server:
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.147
ifconfig 192.168.102.1 192.168.102.2
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 1
push "route 192.168.30.1 255.255.255.0"
route 192.168.20.1 255.255.255.0
secret /var/etc/openvpn/server1.secret
comp-lzo
log /var/log/opvn1.log
log-append /var/log/opvn1.log
verb 7



Client 1:
dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.141
lport 0
management /var/etc/openvpn/client1.sock unix
remote 192.168.1.147 1194
ifconfig 192.168.102.2 192.168.102.1
route 192.168.10.1 255.255.255.0
secret /var/etc/openvpn/client1.secret
comp-lzo

Client 2 is almost identical

in peer-to-peer mode using static keys only a single client can connect to the server at a time - how did you get two clients to connect at the same time?

janjust wrote:in peer-to-peer mode using static keys only a single client can connect to the server at a time - how did you get two clients to connect at the same time?

I actually configured two separate servers on the same hardware, one is on port 1194 and one is on port 1195

aha... using 'push' statements in peer-to-peer server config files does not do much, by the way.

if each client can ping the server then it's just a matter of setting up the right routing; make sure ip forwarding is turned on on the server and set up the right routes and iptables rules.

janjust wrote:aha... using 'push' statements in peer-to-peer server config files does not do much, by the way.

if each client can ping the server then it's just a matter of setting up the right routing; make sure ip forwarding is turned on on the server and set up the right routes and iptables rules.

That is what I need a little guidance with then =]

errrr, don't know how to do all of that on *BSD...

on client1 (subnet .20/24) I'd set up routes by adding to the config file; similarly for client2

the thing I **don't** know how to do is how to set up IP forwarding and/or pf/iptables rules on freebsd - try googling using 'ip forwarding freebsd'

great I'll give this a try. Can you break down exactly what the route command does? I mean i understand the syntax but what exactly am I telling it to do.

this is openvpn config file syntax and it tells openvpn to tell the operating system to route all traffic intended for 192.168.10.0 with a netmask of 255.255.255.0 via the VPN tunnel. See the OpenVPN manual page for more details on the exact semantics of the 'route' option.

Okay so I understand that totally. once traffic is routed to the server though, how can I route it to the other client? the server cannot ping devices on the client network, only the clients can ping the server, is that normal?

the server can ping the VPN IP of the client, not further: that is normal/by design. If you wish to change that read up on
http://openvpn.net/index.php/open-sourc ... html#scope

Yes, i have been able to ping the VPN of the clients. Using this push on both clients will devices on the client1 network to talk to devices on the client2 network? I need all devices on client1 to be able to communicate with all devices on client2, thats why it concerne me the server cant communicate past the virtual nic