[kwlug-disc] Initiating connections to OpenVPN clients

Chris Frey cdfrey at foursquare.net
Thu Jun 30 13:23:45 EDT 2011


On Thu, Jun 30, 2011 at 12:17:17AM -0400, Paul Nijjar wrote:
> This adds the following lines to the OpenVPN configuration: 
> 
> route 10.10.10.0 255.255.255.0;push "route 172.26.16.0
> 255.255.255.0"

I'm not a pfSense expert... is that semicolon a comment symbol, or
are those two commands?


> and in the "client-specific configuration" tab of pfsense I have: 
> 
> iroute 10.10.10.0 255.255.255.0
> 
> but I am not sure why this makes things work. Removing any one of
> these lines makes things fail. I understand I am making a "site to site"
> connection to my one client, but I don't understand why this should be
> necessary for server B to connect to client C. 

It makes some sense to me... the 10.10.10.0 network really only exists
for Client C, until you add routes to pass traffic over the VPN as well.

Just for safety's sake, I'd test to see what other machines I could reach
on the 10.10.10.0 network, from server B.  If Client C has forwarding
turned off, then you're probably ok.  Otherwise, you might be exposing
more than you realize.  And same for machines on 10.10.10.0 reaching
server B.  If you add a route on Client D to pass all 192.168.150.0
traffic to Client C, can Client D get to Server B?

- Chris





More information about the kwlug-disc mailing list