Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    site to site openvpn connection doesnt work fully

    Scheduled Pinned Locked Moved OpenVPN
    22 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elliopitas @viragomann
      last edited by

      @viragomann on a /30 subnet it refuses to give an IP to site 2. works fine for /29 subnet I don't know why since /30 has 2 hosts available.
      about I route I added my route here so it should automatically create the Iroute for 192.168.1.0/24. read this here
      4d189b76-1691-46cc-8563-90a8c46207df-image.png
      i can also see the route in sites 1 routing table
      97e72ce1-62c5-4043-8ca1-8d5c455335d7-image.png
      site 1
      83823b34-2a85-40cc-ae8f-41b91ef2c660-image.png
      site 2
      1f0ca44c-2659-4018-a982-acb0b4e0012a-image.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @elliopitas
        last edited by

        @elliopitas said in site to site openvpn connection doesnt work fully:

        on a /30 subnet it refuses to give an IP to site 2. works fine for /29 subnet I don't know why since /30 has 2 hosts available.

        You have to select "Peer to Peer" at server mode:
        36ce1ed5-fcda-4465-a86f-2c1927c825ca-grafik.png

        E 1 Reply Last reply Reply Quote 1
        • E
          elliopitas @viragomann
          last edited by

          @viragomann 26ac18ba-db42-4f0c-a3b5-43794992a99c-image.png
          already is. if it wasn't it wouldn't even give me the option for remote routes
          ||97c4e679-9c2d-4272-b238-96b0e4b46124-image.png||

          1 Reply Last reply Reply Quote 0
          • E
            elliopitas
            last edited by

            @viragomann ok fixed the tunnel and everything is working fine. you normally don't need to define it for the client but for /30 you have apparently it doesn't do it automatically.
            The /30 ovpn internal network doesn't even show for /30 as it does for /29 and lower. shouldn't it still work with another subnet? what if i need to connect more than one routers?
            site 1 routing table
            6eb29633-eb3a-494c-ab7e-06275d861443-image.png

            chpalmerC 1 Reply Last reply Reply Quote 0
            • chpalmerC
              chpalmer @elliopitas
              last edited by chpalmer

              @elliopitas All my OpenVPN tunnels are a /30.

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              E 1 Reply Last reply Reply Quote 0
              • E
                elliopitas @chpalmer
                last edited by

                @chpalmer @viragomann
                one more thing remains.
                since site 1 can access site 2 just fine now I tried port forwarding my webserver on site 2 from 1 but it doesn't work.
                7170c903-95ae-46d3-8df3-093035d5c160-image.png

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @elliopitas
                  last edited by

                  @elliopitas
                  Addition to the port forwarding at site 1, you need a firewall rule at 2 on the incoming interface to allow the access. But note: not on the OpenVPN tab!

                  No rule on the OpenVPN tab must match the forwarded traffic!
                  The same is true for floating rules.

                  I.e. best is to remove all rules from the OpenVPN tab if this is your only one VPN instance. If you have multiple either assign interfaces to them all and put your rules there, or care that the OpenVPN rules does not match the forwarded packets.

                  E 2 Replies Last reply Reply Quote 1
                  • E
                    elliopitas @viragomann
                    last edited by

                    @viragomann ok thanks I will try and update
                    thank you for all your help so far.

                    1 Reply Last reply Reply Quote 0
                    • E
                      elliopitas @viragomann
                      last edited by

                      @viragomann ok disabled everything for ovpn and moved it to the interfaces
                      for now I enabled everything on both sites interfaces
                      cbeab86a-0c6e-4e3a-87e9-24dc3897b341-image.png
                      and on site one
                      7012ec49-cd55-4e38-94e8-e8324b22ec36-image.png
                      but it still doesn't forward my stuff. only the last rule that it forwards a LAN address works fine

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @elliopitas
                        last edited by

                        @elliopitas said in site to site openvpn connection doesnt work fully:

                        ok disabled everything for ovpn and moved it to the interfaces
                        for now I enabled everything on both sites interfaces

                        Remember, I was talking about the client site.

                        Post the rules so that we can verify.

                        You can sniff the traffic on the client to check if you see the packet on the VPN interface and if they are there also on the internal interface.

                        E 1 Reply Last reply Reply Quote 1
                        • E
                          elliopitas @viragomann
                          last edited by

                          @viragomann i just alow everything so it should be fine
                          site 2 client
                          77913ea6-71b8-4236-bff7-1e2ab73dc590-image.png
                          378cedc4-f6ad-453e-a6d3-68775aa25d36-image.png
                          and site 2
                          73e900fa-903f-4dc6-b28e-88857e940ede-image.png

                          V 1 Reply Last reply Reply Quote 0
                          • V
                            viragomann @elliopitas
                            last edited by

                            @elliopitas
                            HOME is the VPN interface on the client?

                            Please also show the "OpenVPN" rules?

                            E 2 Replies Last reply Reply Quote 1
                            • E
                              elliopitas @viragomann
                              last edited by

                              @viragomann since nat is working fine and everything is allowed thru the firewall then what is it?

                              V 1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @elliopitas
                                last edited by

                                @elliopitas said in site to site openvpn connection doesnt work fully:

                                @viragomann since nat is working fine and everything is allowed thru the firewall then what is it?

                                @viragomann said in site to site openvpn connection doesnt work fully:

                                @elliopitas
                                HOME is the VPN interface on the client?
                                Please also show the "OpenVPN" rules?

                                E 1 Reply Last reply Reply Quote 0
                                • E
                                  elliopitas @viragomann
                                  last edited by

                                  @viragomann

                                  @elliopitas said in site to site openvpn connection doesnt work fully:

                                  @viragomann home is on the client site 2 and George is at site 1 the VPN server.
                                  I don't have any "OpenVPN". I removed them as you said.

                                  595cd208-4bb5-4664-b22b-4f08bb179f76-image.png
                                  I don't have any. like you said I disabled them and I am using the tunnel interfaces instead (HOME, GEORGE)

                                  @elliopitas said in site to site openvpn connection doesnt work fully:

                                  @viragomann i just alow everything so it should be fine
                                  site 2 client
                                  77913ea6-71b8-4236-bff7-1e2ab73dc590-image.png
                                  378cedc4-f6ad-453e-a6d3-68775aa25d36-image.png
                                  and site 2
                                  73e900fa-903f-4dc6-b28e-88857e940ede-image.png

                                  V 1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann @elliopitas
                                    last edited by

                                    @elliopitas
                                    Ok, from the view of the firewall rules it should work now.

                                    Does the webserver basically respond to access from outside? Did you test it with a local forwarding on site 2?

                                    Is the site 1 WAN reachable on TCP 1443?

                                    To investigate use Diagnostic > Packet Capture. On site one check if you see incoming packets on TCP port 1443. If so, check on the VPN interface for packets on port 443 as you forward it.

                                    When you see the packets on both, go to site 2 and sniff the traffic on the incoming VPN interface and on the server facing interface and check for packets on port 443.

                                    E 1 Reply Last reply Reply Quote 1
                                    • E
                                      elliopitas @viragomann
                                      last edited by

                                      @viragomann ok figured it out
                                      plex was getting the my site 2 public ip so it was trying to connect directly
                                      so I gave the docker its own IP and made this rule 57acdb42-e989-4ae8-9caa-b086ab97f01e-image.png now I get
                                      29717dc3-d5e4-4881-8b42-f697f29d33c0-image.png
                                      this is my rule
                                      957da0c2-55b8-4602-b8b2-61e0bdec29c9-image.png
                                      I even tried
                                      1d3d78f6-8a74-482f-b315-cbe535e2c743-image.png
                                      to test if I left a port closed but still the same.

                                      when I disable the rule that changes the default gateway to site 1 it finds the private and public IP just fine

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.