Route ip range traffic through openvpn



  • Hello All,

    I have a strange problem I can't resolve since two weeks, almost everything is working well, just one thing that I can imagine, why. Let's see the details:

    • site A subnet: 10.0.0.0/22

    • site A Client Group A: 10.0.0.10 - 10.0.0.200

    • site A Client Group B: 10.0.0.201 - 10.0.0.250

    • site A public IP: x.x.x.65/24

    • site B subnet: 10.0.100.0/22

    • site B public IP1: y.y.y.1/24

    • site B public IP2: y.y.y.25/28

    • OpenVPN Site to site VPN Server (Site A): 192.168.100.1

    • OpenVPN Site to site VPN Client (Site B): 192.168.100.2

    I have to configure the following:

    • a) Site A: all traffic from Client Group B must be routed through OpenVPN - site B public IP2 (y.y.y.25/28)

    • b) Site A: all traffic from Client Group A must be routed through site A public IP (x.x.x.65/24)

    • c) Site B: all traffic from Client Group C must be routed through site B public IP1 (y.y.y.1/24)

    I'm done with:

    • c) Done: simple NAT on site B public IP1 (y.y.y.1/24)

    • b) Done: simple NAT on site A public IP (x.x.x.65/24)

    • a) I did the followings:

      • OpenVPN Site to site VPN: Done

      • Site A: create IP Alias IPRANGE1 with IP range 10.0.0.201 - 10.0.0.250

      • Site A: assign interface OPT1 to OpenVPN interface ovpn1

      • Site A: create Firewall Rule on LAN interface:

      • Action: pass

      • Interface: LAN

      • Source: Single host or alias: IPRANGE1

      • Protocol: any

      • Advanced - Gateway: OPT1_VPNV4 (name assigned automatically)

      • Site B: create Virtual IP:

      • Name: VIP1

      • Type: IP Alias

      • Address: y.y.y.25/28

      • Site B: create Outbound NAT rule

      • Interface: WAN

      • Source: site A Client Group A

      • NAT Address: WAN Address

    Up to this point everything is working, if I check the http://www.whatsmyip.org/ the result is what is expected: y.y.y.1/24, as well in case of SSH and FTP the remote site returns IP: y.y.y.1/24.

    But if I change the step "Site B: create Outbound NAT rule" and replace the NAT Address to VIP1, then the result is not clear:

    • if I use SSH then the remote site returns the VIP1 adress: y.y.y.25/28

    • if I use HTTP with a very basic (no ADS, no JS, etc…) site then the remote site returns the VIP1 address: y.y.y.25/28

    • but if I try again the http://www.whatsmyip.org/ then the page is not loaded, I see in statusbar the message connecting. Sometimes the IP is okay, but no stylesheet is loaded, etc…

    Any idea what am I wrong? Howto resolve this issue?

    Kind Regards,


Log in to reply