Routing between 2 openvpn servers on a pfsense 2.4.4

I have an openvpn problem with my pfsense and several openvpn servers. The situation is the following:

• We have two sites, one main site and one branch office
• There is an openvpn site to site tunnel which connects main office and branch
• We have several services running regularly between main and branch office and we need them to be undisturbed
• We have several road warriors dialling into the pfsense at the main office on there own openvpn server
• The way the remote offices is connected to the internet doesn’t allow for setting up a server there, so the server is always the main office.

The main reason for the two openvpn servers is, that I want to be able to cut out the network to the road warriors when they do something outside the company policies as happens from time to time) without any interference between the offices. And there are also rare cases where we have to take down the link between the offices as well, but want the road warriors to be able to still be connected.

Up until a while ago this setup was working pretty well, but in recent times (before and now with the corona virus running rampant), there was no reason for the road warriors to directly connect to machines in the branch office.

Now there is need and I can’t get the pfsense to route between the two openvpn servers. The road warriors are pulling out their pitchforks and lighting torches.

The setup Configuration wise on the pfsnese is the following

Main Office:

• Network: 192.168.3.0/24
• Gateway: 192.168.3.1

• OpenVPN Server: 192.168.3.1

• Site-2-Site to Branch OpenVPN:

  • Server Mode: Peer to Peer (Shared Key)
  • UDP on IPV4 / tun
  • Tunnel Network: 10.11.12.0/24
  • Tunnel Network IP: 10.11.12.1
  • Remote Network: 192.168.77.0/24

• Road Warrior Dial-In to Main:

  • Server Mode: Remote Access (SSL/TLS + User Auth)
  • UDP on IPV4 / tun
  • Tunnel Network: 10.0.42.0/24
  • Tunnel Network IP: 10.0.42.1
  • Local Network: 192.168.3.0/24

Branch Office:

• Network: 192.168.77.0/24
• Gateway: 192.168.77.1

• OpenVPN Server: 192.168.77.1

• Site-2-Site to Branch OpenVPN:

  • Server Mode: Peer to Peer (Shared Key)
  • UDP on IPV4 / tun
  • Tunnel Network: 10.11.12.0/24
  • Tunnel Network IP: 10.11.12.2
  • Remote Network: 192.168.3.0/24

I basically tried everything I could find, which includes:

• Adding the branch IP and branch Tunnel Network to the dail-in net and vice versa
• Pushing the routes and gateways via OpenVPN “push route” command
• Trying to set a route between the tunnel networks via OPENVPNs “route” command, but the pfsense rejected all of them

I can always ping down the tunnels to the endpoint from with in the main office’s entwork, but never from the branch or from a dial-in connection.

Right now I am looking at the whole setup and wonder what I am doing wrong.