VPN Network is not routing via tunnel

Chris-The-Tuner · Dec 8, 2018, 8:36 AM

Hi together,
i set up a OpenVPN Tunnel to a Server from our radio station (internal stuff).
My pfs at home is the client and connects without problems to the server.
A traceroute from the pfs to a server inside the vpn works flawless.
But if i try to connect from my office pc the connection gets to my home pfs and then nothing...

I have another tunnel running in basicly exactly the same way to a pfs box in my datacenter colo, on that one it works without problems...

I don't understand why the network of 1 tunnel gets put via the tunnel it should and the other one does not.

Networks:
Home: 10.0.11.0/24
VPN personal Datacenter: 192.168.3.0/24 (I can go via OpenVPN directly to there from my home network)
VPN radio: 192.168.42.0/24 (from pfs hui i can ping servers etc, but my LAN from home is not able to connect)

I hope someone has an idea why this is...
Thanks in advance

Greetings Chris

Derelict · Dec 8, 2018, 9:55 AM

I'd check the firewall in the workstation itself.

Chris-The-Tuner · Dec 10, 2018, 5:09 PM

There is no firewall on any workstation i run here...
The fun part is that i can freely use another tunnel and it works fine, but the second one just does not work...

I don't understand why this is, but i got that problem.
The config of both clients is the same (except for Server/Port).

Derelict · Dec 11, 2018, 3:49 AM

Well, it has to be something.

Guess you need to post screenshots, etc, so we can have a chance at seeing what was done wrong.

Chris-The-Tuner · Dec 11, 2018, 3:10 PM

Beginning with the working Tunnel:
This one works without any issues, every network is accessable from my side (LAN @ 10.0.11.0/24)

Next is the same config for the radio network, this one is NOT (but should) accessable from my side (LAN @ 10.0.11.0/24):

As you can se here, the Connection is up, the tunnels work: (Upper one is my Datacenter Link, the lower one to our radio station)

Even a traceroute from the pfs here works to the server inside the LAN in want to access:

But if i try that from my workstation (LAN @ 10.0.11.90):

It just runs until it fails at the end...

Last but not least my Routes, as far as i can see this is correct in every way.
I did everything the same in both tunnels, the first one works, the second one does not...

I hope i included everything you need, if not just tell me what i should include :)

Greetings Chris

Rico · Dec 11, 2018, 7:14 PM

Can you please show your Firewall Rules? OpenVPN Tab and Interfaces (if assigned).

-Rico

Chris-The-Tuner · Dec 11, 2018, 8:15 PM

Interfaces are not assigned to VPN tunnels for now.
Within the OpenVPN Interface i only have 1 Rule (everything allowed) * * * * * :D

Rico · Dec 11, 2018, 8:29 PM

How about Routing on the non working far side?
Anything in the table for 10.0.11.0/24 ?

-Rico

Chris-The-Tuner · Dec 11, 2018, 9:08 PM

I'm not able to check the Server Side on the second tunnel since i'm not running it.
What should be there ?
I have a small suspicion that the Server maybe blocks connections from a LAN network...
Could that be the case ?

Rico · Dec 11, 2018, 9:18 PM

The Server Side need to know your local network and a route set (normally this happens in the OpenVPN Server Config).
And of course the Server need to accept your Packets by it's Firewall Rules.
ATM the only thing we know the Server side knows the Route and accept Packets for the tunnel network.

-Rico

chpalmer · Dec 11, 2018, 9:44 PM

In your second picture.. You need to add your LAN to the Remote Networks of that site. 10.0.11.0/24

Ive got this same scenario between a radio station I do work for and my office.

Rico · Dec 11, 2018, 9:44 PM

...this is what I just said right? ;-)

-Rico

chpalmer · Dec 11, 2018, 9:46 PM

@rico

Missed that. Yep. I hate this laptop.

chpalmer · Dec 11, 2018, 9:56 PM

@chpalmer

Looking again your radio station router should not have its own LAN in the "remote networks" entry..

Chris-The-Tuner · Dec 11, 2018, 10:21 PM

Yep that eas the problem.
I just mapped the traffic from my LAN to the IP i get from the VPN Server so that i show up as a Single VPN Client and not as a LAN workstation.

Works fine now :)

Thank you very mutch !

Rico · Dec 11, 2018, 10:23 PM

So you do NAT now?
That is not ideal but can work in some cases. :-)

-Rico

Chris-The-Tuner · Dec 11, 2018, 10:28 PM

The Admin does not want to let traffic from my LAN pass, so thats the only way i have.

Sure its not ideal but hey, its getting the job done.

chpalmer · Dec 11, 2018, 10:32 PM

@chris-the-tuner said in VPN Network is not routing via tunnel:

The Admin does not want to let traffic from my LAN pass, so thats the only way i have.

Actually a correctly built firewall rule at the radio station only allowing you workstation IP would do the job just as well. In fact if your not accessing you LAN from any of the other sites Id delete the firewall rule on your local router on the OpenVPN tab.

Chris-The-Tuner · Dec 11, 2018, 10:42 PM

I do access my home LAN via a Server running on my pfs ;)

chpalmer · Dec 11, 2018, 10:43 PM

I believe you could also place your local workstation at an address such as .129 and then use x.x.x.128/30 on the radio station side "remote network" to limit the size of your network their router sees. I have not tried this but there seems no reason it would not work.