VPN Network is not routing via tunnel

  • Hi together,
    i set up a OpenVPN Tunnel to a Server from our radio station (internal stuff).
    My pfs at home is the client and connects without problems to the server.
    A traceroute from the pfs to a server inside the vpn works flawless.
    But if i try to connect from my office pc the connection gets to my home pfs and then nothing...

    I have another tunnel running in basicly exactly the same way to a pfs box in my datacenter colo, on that one it works without problems...

    I don't understand why the network of 1 tunnel gets put via the tunnel it should and the other one does not.

    VPN personal Datacenter: (I can go via OpenVPN directly to there from my home network)
    VPN radio: (from pfs hui i can ping servers etc, but my LAN from home is not able to connect)

    I hope someone has an idea why this is...
    Thanks in advance

    Greetings Chris

  • LAYER 8 Netgate

    I'd check the firewall in the workstation itself.

  • There is no firewall on any workstation i run here...
    The fun part is that i can freely use another tunnel and it works fine, but the second one just does not work...

    I don't understand why this is, but i got that problem.
    The config of both clients is the same (except for Server/Port).

  • LAYER 8 Netgate

    Well, it has to be something.

    Guess you need to post screenshots, etc, so we can have a chance at seeing what was done wrong.

  • Beginning with the working Tunnel:
    This one works without any issues, every network is accessable from my side (LAN @
    0_1544540466571_Bildschirmfoto zu 2018-12-11 15-54-52.png

    Next is the same config for the radio network, this one is NOT (but should) accessable from my side (LAN @
    1_1544540466571_Bildschirmfoto zu 2018-12-11 15-55-12.png

    As you can se here, the Connection is up, the tunnels work: (Upper one is my Datacenter Link, the lower one to our radio station)
    2_1544540466572_Bildschirmfoto zu 2018-12-11 15-55-30.png

    Even a traceroute from the pfs here works to the server inside the LAN in want to access:
    0_1544540848008_Bildschirmfoto zu 2018-12-11 16-06-59.png
    But if i try that from my workstation (LAN @
    0_1544540943164_Bildschirmfoto zu 2018-12-11 16-08-23.png
    It just runs until it fails at the end...

    Last but not least my Routes, as far as i can see this is correct in every way.
    I did everything the same in both tunnels, the first one works, the second one does not...
    3_1544540466572_Bildschirmfoto zu 2018-12-11 15-55-47.png

    I hope i included everything you need, if not just tell me what i should include :)

    Greetings Chris

  • LAYER 8 Rebel Alliance

    Can you please show your Firewall Rules? OpenVPN Tab and Interfaces (if assigned).


  • Interfaces are not assigned to VPN tunnels for now.
    Within the OpenVPN Interface i only have 1 Rule (everything allowed) * * * * * :D

  • LAYER 8 Rebel Alliance

    How about Routing on the non working far side?
    Anything in the table for ?


  • I'm not able to check the Server Side on the second tunnel since i'm not running it.
    What should be there ?
    I have a small suspicion that the Server maybe blocks connections from a LAN network...
    Could that be the case ?

  • LAYER 8 Rebel Alliance

    The Server Side need to know your local network and a route set (normally this happens in the OpenVPN Server Config).
    And of course the Server need to accept your Packets by it's Firewall Rules.
    ATM the only thing we know the Server side knows the Route and accept Packets for the tunnel network.


  • In your second picture.. You need to add your LAN to the Remote Networks of that site.

    Ive got this same scenario between a radio station I do work for and my office.

  • LAYER 8 Rebel Alliance

    ...this is what I just said right? ;-)


  • @rico

    Missed that. Yep. I hate this laptop.

  • @chpalmer

    Looking again your radio station router should not have its own LAN in the "remote networks" entry..

  • Yep that eas the problem.
    I just mapped the traffic from my LAN to the IP i get from the VPN Server so that i show up as a Single VPN Client and not as a LAN workstation.

    Works fine now :)

    Thank you very mutch !

  • LAYER 8 Rebel Alliance

    So you do NAT now?
    That is not ideal but can work in some cases. :-)


  • The Admin does not want to let traffic from my LAN pass, so thats the only way i have.

    Sure its not ideal but hey, its getting the job done.

  • @chris-the-tuner said in VPN Network is not routing via tunnel:

    The Admin does not want to let traffic from my LAN pass, so thats the only way i have.

    Actually a correctly built firewall rule at the radio station only allowing you workstation IP would do the job just as well. In fact if your not accessing you LAN from any of the other sites Id delete the firewall rule on your local router on the OpenVPN tab.

  • I do access my home LAN via a Server running on my pfs ;)

  • I believe you could also place your local workstation at an address such as .129 and then use x.x.x.128/30 on the radio station side "remote network" to limit the size of your network their router sees. I have not tried this but there seems no reason it would not work.

  • @chris-the-tuner said in VPN Network is not routing via tunnel:

    I do access my home LAN via a Server running on my pfs ;)

    Then adjust your local OpenVPN rule to the data center server network to your local LAN.

    Firewall rules are your friend!

  • Remember that connections that are initiated by the allowed end are by proxy allowed to return. You do not need special WAN rules to allow return traffic from the web.. right? Same with any interface.

  • I got a Rule that sorts out traffic trying to connect to my LAN from the radio network.
    For the rest its fine since i run the other network anyway 😁

Log in to reply