I'm in a bit of a tricky situation, where my organization has 2 OpenVPN servers on the same LAN, one as a virtualized OpenVPN Access Server (Server A: 192.168.1.49), and one at Router Level (Server B: 192.168.1.1). Server A and Server B are both configured in the TUN mode, providing clients with IP addresses on different subnets. Server A receives an IP address directly from the router (aka Server B) running PfSense and is part of the LAN. Each OpenVPN server runs on a different port (obviously).
Issue arises, as the organization wants clients on Server A to communicate with those on Server B and vice versa. However, due to licensing and performance restrictions, those users on either server can not be moved away from where they originally are, and thus can not be consolidated onto a single server. Note that some clients on Server B are mobile devices (namely iOS devices).
The steps I've tried so far, include:
- Allowing traffic between relevant private subnets on both servers
-
Creating 2 Gateways in Pfsense.
Gateway 1 Address: 192.168.1.1 [Server B] Gateway 2 Address: 192.168.1.49 [Server A] -
Create Static Routes in Pfsense.
Route 1: Network= [Client net for Server A], Gateway= 192.168.1.49 Route 2: Network= [Client net for Server B], Gateway= 192.168.1.1 -
Allow access from server-side private subnets on Server A
-
Allowed inter-client communication on both servers
-
On Server A, added the following config:
push "route 172.16.1.0 255.255.255.0 192.168.1.1 1" -
On Server B, added the following config:
push "topology subnet" push "route 172.16.0.0 255.255.255.0 192.168.1.49 1"
Note that on a client for Server B, I get the error "Route destinations other than vpn_gateway or net_gateway are not supported"
A Traceroute from a device on the LAN (192.168.1.xxx) to a client [172.16.0.2] on Server A yields:
1 pfsense.xxx.xxx (192.168.1.1) 0.804 ms 0.809 ms 0.798 ms 2 openvpn-as (192.168.1.49) 0.588 ms 0.507 ms 0.530 ms 3 172.16.0.2 (172.16.0.2) 23.788 ms 23.794 ms 23.775 ms
A traceroute from a device on LAN (192.168.1.xxx) to a client [172.16.1.2] on Server B yields:
1 pfsense.felixjen.com (192.168.1.1) 0.604 ms 0.578 ms 0.566 ms 2 172.16.1.2 (172.16.1.2) 134.503 ms 140.883 ms 141.721 ms
However, a Traceroute from client [172.16.0.xxx] to client [172.16.1.xxx] yields:
traceroute to 172.16.1.xxx (172.16.1.2), 64 hops max, 52 byte packets traceroute: sendto: Network is unreachable 1 traceroute: wrote 172.16.1.2 52 chars, ret=-1
This is the same from the other client.
The following is the relevant routing table for a client on Server A:
Destination Gateway Flags Refs Use Netif Expire 172.16/24 172.16.0.2 UGSc 7 5 utun1 172.16/23 172.16.0.1 UGSc 0 0 utun1 172.16.0.2 172.16.0.2 UH 1 16 utun1 172.16.1/24 192.168.1.1 UGSc 0 12 en0 192.168.1 172.16.0.1 UGSc 3 2 utun1
The following is the routing table for a client on Server B:
Destination Gateway Flags Refs Use Netif Expire 172.16.0.0/16 link#34 UCS 1 0 utun3 172.16.0.2 link#34 UHW3I 0 5 utun3 172.16.1.10/16 link#34 UCS 0 0 utun3 172.16.1.2 172.16.1.2 UH 0 0 utun3
There should be no firewall rules blocking traffic to/from either subnet. What else am I missing here?
No comments:
Post a Comment