In my own setup I have three subnets:
192.168.1.1
192.168.3.1
192.168.178.1
Also, this is the server
My parents house has only one:
192.168.125.1
This is the client
At first the site 2 site vpn worked great. I could access my parents house from all of my subnets. But yesterday I was logged in from a pc 192.168.3.x, using the NAS from my parents house. Suddenly the connection was lost. I thought of an error, but the connection was still runnig according to pfsense.
I tested a computer in the 192.168.1.x range. The pcās in that range still work, but I canāt access from 192.138.3.x and 192.168.178.x. I didnāt change any rules. Does anyone know how this is possible?
Update: If i run traceroute from a pc in 192.168.1.x, i get to the destination in three hops. If I run a traceroute in an another subnet, it is stuck at the firewallā¦
Itās odd that it worked and then stopped. Usually, this kind of thing is all-or-nothing. Perhaps there was an old firewall state hanging around. In which case, Iād suggest adding firewall logging rules at the bottom of the OpenVPN firewall page to catch any packets falling through ( or do you have OpenVPN set to accept all?).
Otherwise, routing may be the problem - double check the configs for both the client and server to make sure that the 192.168.3.x subnet is identified as a network that will be routed by the vpn.
Your using the same address ranges but different subnets, perhaps that might work it sounds like it ought to. Though it might be better to use different ranges at each site, I use different ranges myself.
If the second site is far away, I would setup an OpenVPN server and client at each site, so that you could still have a means of accessing the site if the site to site connection fails.
@ipv4please , you need to check on both the client setup and the server setup, that all subsets are listed in the appropriate places: in your case, server side local network config should have all subsets (192.168.1.0/24,192.168.3.0/24,ā¦) specified in theā localā option. You also need to specify these in the āremoteā option on the client. Unfortunately, I canāt double check this against my working config at the moment, so some details may be incorrect.
The OpenVPN configuration should make the appropriate updates to the routing if itās configured properly. Check the routing tables on both routers.
Good luck
On your parentās router, you need to have these 3 routes that point to your router:
192.168.1.0/24
192.168.3.0/24
192.168.178.0/24
And on your router, you need to 1 have route that points to their router:
192.168.125.0/24
You are using Class C private networks on both end, so be sure your firewall is not set to drop IPs in the RFC1918 range - just in case it does.
After that, you need the firewall rules to allow the traffic on those routes on both firewalls and it seems you might be missing some on your firewall.
@neogrid yeah I see it too nowā¦ Now I understand what you were talking about. Now I am wondering what the difference is in usecase and why those settings are only visible with SSL/TLSā¦
Yeah he did, it was a video from 2017. He states that this way is the more simple way instead of generating certs. Now it works like I want it to, but I am wondering if this is secure enoughā¦
Iād say if you setup a RAS for your mobile devices, certs are a must, if you lose a device you can easily revoke a cert without affecting anything else. Itās gotta be pretty tough to brute force a cert.
For a site to site itās probably ok, though I use certs.