site to site openvpn connection doesnt work fully

elliopitas

site 1:
lan: 192.168.0.0/24
wan: public
ovpn server
||


||
site 2:
lan: 192.168.1.0/24
wan: public
ovpn client
||


||

from site 2 i can access everything on site 1, from site 1 I can't
this is a device on site 1
i can ping sites 2 ovpn interface

but i cant ping any other device

viragomann

@elliopitas
A /24 tunnel for a site-to-site VPN? Do you want to connect multiple clients?
If not change the tunnel mask to /30.

elliopitas

@viragomann yea I will fix that after I get it working and pinging. i had more than one but I will keep it between the 2 sites and make a new one for other ovpn clients

elliopitas

@viragomann
site 1 routing table

site 2 routing table

the route is there but I cannot ping 192.168.1.0/24 from site 1
I can ping 192.168.255.0/24 just fine tho

this is the site 2 ovpn client gateway

viragomann

@elliopitas
It doesn't make any sense to me to dive any deeper into this, as long as you have a /24 tunnel for a site to site.
In this case the gateway IP is not unique for OpenVPN and it cannot route properly. You would need to configure iroute to get this work.

So again, switch the tunnel to /30 and try again.

elliopitas

@viragomann on a /30 subnet it refuses to give an IP to site 2. works fine for /29 subnet I don't know why since /30 has 2 hosts available.
about I route I added my route here so it should automatically create the Iroute for 192.168.1.0/24. read this here

i can also see the route in sites 1 routing table

site 1

site 2

viragomann

@elliopitas said in site to site openvpn connection doesnt work fully:

on a /30 subnet it refuses to give an IP to site 2. works fine for /29 subnet I don't know why since /30 has 2 hosts available.

You have to select "Peer to Peer" at server mode:

elliopitas

@viragomann
already is. if it wasn't it wouldn't even give me the option for remote routes
||||

elliopitas

@viragomann ok fixed the tunnel and everything is working fine. you normally don't need to define it for the client but for /30 you have apparently it doesn't do it automatically.
The /30 ovpn internal network doesn't even show for /30 as it does for /29 and lower. shouldn't it still work with another subnet? what if i need to connect more than one routers?
site 1 routing table

chpalmer

@elliopitas All my OpenVPN tunnels are a /30.

elliopitas

@chpalmer @viragomann
one more thing remains.
since site 1 can access site 2 just fine now I tried port forwarding my webserver on site 2 from 1 but it doesn't work.

viragomann

@elliopitas
Addition to the port forwarding at site 1, you need a firewall rule at 2 on the incoming interface to allow the access. But note: not on the OpenVPN tab!

No rule on the OpenVPN tab must match the forwarded traffic!
The same is true for floating rules.

I.e. best is to remove all rules from the OpenVPN tab if this is your only one VPN instance. If you have multiple either assign interfaces to them all and put your rules there, or care that the OpenVPN rules does not match the forwarded packets.

elliopitas

@viragomann ok thanks I will try and update
thank you for all your help so far.

elliopitas

@viragomann ok disabled everything for ovpn and moved it to the interfaces
for now I enabled everything on both sites interfaces

and on site one

but it still doesn't forward my stuff. only the last rule that it forwards a LAN address works fine

viragomann

@elliopitas said in site to site openvpn connection doesnt work fully:

ok disabled everything for ovpn and moved it to the interfaces
for now I enabled everything on both sites interfaces

Remember, I was talking about the client site.

Post the rules so that we can verify.

You can sniff the traffic on the client to check if you see the packet on the VPN interface and if they are there also on the internal interface.

elliopitas

@viragomann i just alow everything so it should be fine
site 2 client


and site 2

viragomann

@elliopitas
HOME is the VPN interface on the client?

Please also show the "OpenVPN" rules?

elliopitas

@viragomann since nat is working fine and everything is allowed thru the firewall then what is it?

viragomann

@elliopitas said in site to site openvpn connection doesnt work fully:

@viragomann since nat is working fine and everything is allowed thru the firewall then what is it?

@viragomann said in site to site openvpn connection doesnt work fully:

@elliopitas
HOME is the VPN interface on the client?
Please also show the "OpenVPN" rules?

elliopitas

@viragomann

@elliopitas said in site to site openvpn connection doesnt work fully:

@viragomann home is on the client site 2 and George is at site 1 the VPN server.
I don't have any "OpenVPN". I removed them as you said.

I don't have any. like you said I disabled them and I am using the tunnel interfaces instead (HOME, GEORGE)

@elliopitas said in site to site openvpn connection doesnt work fully:

@viragomann i just alow everything so it should be fine
site 2 client


and site 2