Site to Site OpenVPN Firewall Settings

I’ve setup a VPN server for site to site and road warrior access.

The OpenVPN server in pfSense runs on a Google cloud server. Site 1&2 each have a GL-MT300N-V2(v3.105) and connect as clients. Road warriors connect to the server from anywhere.

All that seems working. The server pushes routes and has a client-config-dir with iroutes for the sites, and everyone can ping everyone - using VPN adapter addresses, but NOT using LAN side addresses.

I have made this work previously. I have commented the default rules in /etc/vpn.user and removed the ‘lan2wan_forwarding disable’ line in /etc/init.d/startvpn.

In a prior firmware I recall altering the firewall zone settings in LuCI but my changes so far have not been successful.

Ultimately I want to be able to connect from the road and ping clients behind the mango’s at either site using their LAN address.

Site1:      VPN:     LAN:
Site2:      VPN:     LAN:
RoadGuy:    VPN:     LAN: whatever (not routed)

The RoadGuy can ping,2,3 but can’t ping or

But both sites show the subnets in their table:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         (gateway)         UG    20     0        0 apcli0
(WAN Subnet)    *        U     20     0        0 apcli0
(VPN Server)    *        U     0      0        0 tun0
(CloudServer)   (gateway) UGH   0      0        0 apcli0    *        U     0      0        0 br-lan    (VPN Server)   UG    0      0        0 tun0

The problem, as best I can tell, is in my firewall settings on the GL-MT300N-V2s. Traffic is not flowing between the LAN and VPN adapters.

What changes to the default LuCI firewall settings are required to allow this behaviour? Suggestions and advice appreciated (my heads getting sore banging it : ).

Please close post. Fault was elsewhere - server had multiple instances with duplicate remote subnets causing a race.

Test now works as desired:

  • Site 1 gateway connects as client to my openvpn server
  • Site 2 gateway connects as client to my openvpn server
  • Server iroute(s) and ccd entries enable site to site
  • Anyone at either site can ping anyone else
  • Road warriors can ping anyone at either site

The modifications to factory:

  • remove default rules lines in /etc/vpn.user
  • remove ‘lan2wan_forwarding disable’ line in /etc/init.d/startvpn
  • after connecting the vpn, from LuCI Network Firewall settings
    • allow forwarding in general section
    • edit lan and ovpn zones to allow forwarding between both

Modifications were required to enable site-to-site traffic via vpn and keep remaining going to usual gateway. The factory design prevents leakage when VPN’ing but that leakage is what I want : )

Thanks for great site. Lots of great searchable info.

1 Like