Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    site to site openvpn connection doesnt work fully

    Scheduled Pinned Locked Moved OpenVPN
    22 Posts 3 Posters 2.6k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      elliopitas
      last edited by

      site 1:
      lan: 192.168.0.0/24
      wan: public
      ovpn server
      ||5d89072d-a401-42ad-bb37-945663bb6c29-image.png
      10dfe891-800f-46f0-96c9-b1f22ab34418-image.png
      24a01890-75c9-4821-a629-44d2f98b4af6-image.png
      fc2965c3-91fc-4ad8-8c0b-611133593c53-image.png ||
      site 2:
      lan: 192.168.1.0/24
      wan: public
      ovpn client
      ||2e726876-4f03-4735-9854-882a2e3a8ed3-image.png
      9367a446-bde7-4833-b09f-3ce8b2401714-image.png
      1f825cdd-6d01-4e34-9106-842967cf5221-image.png
      55fe36a0-fdae-4ffb-957d-910d940221b3-image.png ||

      from site 2 i can access everything on site 1, from site 1 I can't
      this is a device on site 1
      i can ping sites 2 ovpn interface
      d63d095e-fead-4036-8372-f5e02917670d-image.png
      but i cant ping any other device
      0d26ad56-a5c7-4fff-93b8-e8dca6a6987c-image.png

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @elliopitas
        last edited by

        @elliopitas
        A /24 tunnel for a site-to-site VPN? Do you want to connect multiple clients?
        If not change the tunnel mask to /30.

        E 1 Reply Last reply Reply Quote 1
        • E Offline
          elliopitas @viragomann
          last edited by elliopitas

          @viragomann yea I will fix that after I get it working and pinging. i had more than one but I will keep it between the 2 sites and make a new one for other ovpn clients

          1 Reply Last reply Reply Quote 0
          • E Offline
            elliopitas
            last edited by

            @viragomann
            site 1 routing table
            1d529f57-27de-402c-b5f1-4024a4c00222-image.png
            site 2 routing table
            d42dde88-a399-4250-9700-b709c0b73bb6-image.png

            the route is there but I cannot ping 192.168.1.0/24 from site 1
            I can ping 192.168.255.0/24 just fine tho
            3400c21e-f6fe-4bcf-a79d-c112da6774b1-image.png
            this is the site 2 ovpn client gateway

            V 1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann @elliopitas
              last edited by

              @elliopitas
              It doesn't make any sense to me to dive any deeper into this, as long as you have a /24 tunnel for a site to site.
              In this case the gateway IP is not unique for OpenVPN and it cannot route properly. You would need to configure iroute to get this work.

              So again, switch the tunnel to /30 and try again.

              E 1 Reply Last reply Reply Quote 0
              • E Offline
                elliopitas @viragomann
                last edited by

                @viragomann on a /30 subnet it refuses to give an IP to site 2. works fine for /29 subnet I don't know why since /30 has 2 hosts available.
                about I route I added my route here so it should automatically create the Iroute for 192.168.1.0/24. read this here
                4d189b76-1691-46cc-8563-90a8c46207df-image.png
                i can also see the route in sites 1 routing table
                97e72ce1-62c5-4043-8ca1-8d5c455335d7-image.png
                site 1
                83823b34-2a85-40cc-ae8f-41b91ef2c660-image.png
                site 2
                1f0ca44c-2659-4018-a982-acb0b4e0012a-image.png

                V 1 Reply Last reply Reply Quote 0
                • V Offline
                  viragomann @elliopitas
                  last edited by

                  @elliopitas said in site to site openvpn connection doesnt work fully:

                  on a /30 subnet it refuses to give an IP to site 2. works fine for /29 subnet I don't know why since /30 has 2 hosts available.

                  You have to select "Peer to Peer" at server mode:
                  36ce1ed5-fcda-4465-a86f-2c1927c825ca-grafik.png

                  E 1 Reply Last reply Reply Quote 1
                  • E Offline
                    elliopitas @viragomann
                    last edited by

                    @viragomann 26ac18ba-db42-4f0c-a3b5-43794992a99c-image.png
                    already is. if it wasn't it wouldn't even give me the option for remote routes
                    ||97c4e679-9c2d-4272-b238-96b0e4b46124-image.png||

                    1 Reply Last reply Reply Quote 0
                    • E Offline
                      elliopitas
                      last edited by

                      @viragomann ok fixed the tunnel and everything is working fine. you normally don't need to define it for the client but for /30 you have apparently it doesn't do it automatically.
                      The /30 ovpn internal network doesn't even show for /30 as it does for /29 and lower. shouldn't it still work with another subnet? what if i need to connect more than one routers?
                      site 1 routing table
                      6eb29633-eb3a-494c-ab7e-06275d861443-image.png

                      chpalmerC 1 Reply Last reply Reply Quote 0
                      • chpalmerC Offline
                        chpalmer @elliopitas
                        last edited by chpalmer

                        @elliopitas All my OpenVPN tunnels are a /30.

                        Triggering snowflakes one by one..
                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                        E 1 Reply Last reply Reply Quote 0
                        • E Offline
                          elliopitas @chpalmer
                          last edited by

                          @chpalmer @viragomann
                          one more thing remains.
                          since site 1 can access site 2 just fine now I tried port forwarding my webserver on site 2 from 1 but it doesn't work.
                          7170c903-95ae-46d3-8df3-093035d5c160-image.png

                          V 1 Reply Last reply Reply Quote 0
                          • V Offline
                            viragomann @elliopitas
                            last edited by

                            @elliopitas
                            Addition to the port forwarding at site 1, you need a firewall rule at 2 on the incoming interface to allow the access. But note: not on the OpenVPN tab!

                            No rule on the OpenVPN tab must match the forwarded traffic!
                            The same is true for floating rules.

                            I.e. best is to remove all rules from the OpenVPN tab if this is your only one VPN instance. If you have multiple either assign interfaces to them all and put your rules there, or care that the OpenVPN rules does not match the forwarded packets.

                            E 2 Replies Last reply Reply Quote 1
                            • E Offline
                              elliopitas @viragomann
                              last edited by

                              @viragomann ok thanks I will try and update
                              thank you for all your help so far.

                              1 Reply Last reply Reply Quote 0
                              • E Offline
                                elliopitas @viragomann
                                last edited by

                                @viragomann ok disabled everything for ovpn and moved it to the interfaces
                                for now I enabled everything on both sites interfaces
                                cbeab86a-0c6e-4e3a-87e9-24dc3897b341-image.png
                                and on site one
                                7012ec49-cd55-4e38-94e8-e8324b22ec36-image.png
                                but it still doesn't forward my stuff. only the last rule that it forwards a LAN address works fine

                                V 1 Reply Last reply Reply Quote 0
                                • V Offline
                                  viragomann @elliopitas
                                  last edited by

                                  @elliopitas said in site to site openvpn connection doesnt work fully:

                                  ok disabled everything for ovpn and moved it to the interfaces
                                  for now I enabled everything on both sites interfaces

                                  Remember, I was talking about the client site.

                                  Post the rules so that we can verify.

                                  You can sniff the traffic on the client to check if you see the packet on the VPN interface and if they are there also on the internal interface.

                                  E 1 Reply Last reply Reply Quote 1
                                  • E Offline
                                    elliopitas @viragomann
                                    last edited by

                                    @viragomann i just alow everything so it should be fine
                                    site 2 client
                                    77913ea6-71b8-4236-bff7-1e2ab73dc590-image.png
                                    378cedc4-f6ad-453e-a6d3-68775aa25d36-image.png
                                    and site 2
                                    73e900fa-903f-4dc6-b28e-88857e940ede-image.png

                                    V 1 Reply Last reply Reply Quote 0
                                    • V Offline
                                      viragomann @elliopitas
                                      last edited by

                                      @elliopitas
                                      HOME is the VPN interface on the client?

                                      Please also show the "OpenVPN" rules?

                                      E 2 Replies Last reply Reply Quote 1
                                      • E Offline
                                        elliopitas @viragomann
                                        last edited by

                                        @viragomann since nat is working fine and everything is allowed thru the firewall then what is it?

                                        V 1 Reply Last reply Reply Quote 0
                                        • V Offline
                                          viragomann @elliopitas
                                          last edited by

                                          @elliopitas said in site to site openvpn connection doesnt work fully:

                                          @viragomann since nat is working fine and everything is allowed thru the firewall then what is it?

                                          @viragomann said in site to site openvpn connection doesnt work fully:

                                          @elliopitas
                                          HOME is the VPN interface on the client?
                                          Please also show the "OpenVPN" rules?

                                          E 1 Reply Last reply Reply Quote 0
                                          • E Offline
                                            elliopitas @viragomann
                                            last edited by

                                            @viragomann

                                            @elliopitas said in site to site openvpn connection doesnt work fully:

                                            @viragomann home is on the client site 2 and George is at site 1 the VPN server.
                                            I don't have any "OpenVPN". I removed them as you said.

                                            595cd208-4bb5-4664-b22b-4f08bb179f76-image.png
                                            I don't have any. like you said I disabled them and I am using the tunnel interfaces instead (HOME, GEORGE)

                                            @elliopitas said in site to site openvpn connection doesnt work fully:

                                            @viragomann i just alow everything so it should be fine
                                            site 2 client
                                            77913ea6-71b8-4236-bff7-1e2ab73dc590-image.png
                                            378cedc4-f6ad-453e-a6d3-68775aa25d36-image.png
                                            and site 2
                                            73e900fa-903f-4dc6-b28e-88857e940ede-image.png

                                            V 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.