VPN Network is not routing via tunnel
-
There is no firewall on any workstation i run here...
The fun part is that i can freely use another tunnel and it works fine, but the second one just does not work...I don't understand why this is, but i got that problem.
The config of both clients is the same (except for Server/Port). -
Well, it has to be something.
Guess you need to post screenshots, etc, so we can have a chance at seeing what was done wrong.
-
Beginning with the working Tunnel:
This one works without any issues, every network is accessable from my side (LAN @ 10.0.11.0/24)
Next is the same config for the radio network, this one is NOT (but should) accessable from my side (LAN @ 10.0.11.0/24):
As you can se here, the Connection is up, the tunnels work: (Upper one is my Datacenter Link, the lower one to our radio station)
Even a traceroute from the pfs here works to the server inside the LAN in want to access:
But if i try that from my workstation (LAN @ 10.0.11.90):
It just runs until it fails at the end...Last but not least my Routes, as far as i can see this is correct in every way.
I did everything the same in both tunnels, the first one works, the second one does not...
I hope i included everything you need, if not just tell me what i should include :)
Greetings Chris
-
Can you please show your Firewall Rules? OpenVPN Tab and Interfaces (if assigned).
-Rico
-
Interfaces are not assigned to VPN tunnels for now.
Within the OpenVPN Interface i only have 1 Rule (everything allowed) * * * * * :D -
How about Routing on the non working far side?
Anything in the table for 10.0.11.0/24 ?-Rico
-
I'm not able to check the Server Side on the second tunnel since i'm not running it.
What should be there ?
I have a small suspicion that the Server maybe blocks connections from a LAN network...
Could that be the case ? -
The Server Side need to know your local network and a route set (normally this happens in the OpenVPN Server Config).
And of course the Server need to accept your Packets by it's Firewall Rules.
ATM the only thing we know the Server side knows the Route and accept Packets for the tunnel network.-Rico
-
In your second picture.. You need to add your LAN to the Remote Networks of that site. 10.0.11.0/24
Ive got this same scenario between a radio station I do work for and my office.
-
...this is what I just said right? ;-)
-Rico
-
Missed that. Yep. I hate this laptop.
-
Looking again your radio station router should not have its own LAN in the "remote networks" entry..
-
Yep that eas the problem.
I just mapped the traffic from my LAN to the IP i get from the VPN Server so that i show up as a Single VPN Client and not as a LAN workstation.Works fine now :)
Thank you very mutch !
-
So you do NAT now?
That is not ideal but can work in some cases. :-)-Rico
-
The Admin does not want to let traffic from my LAN pass, so thats the only way i have.
Sure its not ideal but hey, its getting the job done.
-
@chris-the-tuner said in VPN Network is not routing via tunnel:
The Admin does not want to let traffic from my LAN pass, so thats the only way i have.
Actually a correctly built firewall rule at the radio station only allowing you workstation IP would do the job just as well. In fact if your not accessing you LAN from any of the other sites Id delete the firewall rule on your local router on the OpenVPN tab.
-
I do access my home LAN via a Server running on my pfs ;)
-
I believe you could also place your local workstation at an address such as .129 and then use x.x.x.128/30 on the radio station side "remote network" to limit the size of your network their router sees. I have not tried this but there seems no reason it would not work.
-
@chris-the-tuner said in VPN Network is not routing via tunnel:
I do access my home LAN via a Server running on my pfs ;)
Then adjust your local OpenVPN rule to the data center server network to your local LAN.
Firewall rules are your friend!
-
Remember that connections that are initiated by the allowed end are by proxy allowed to return. You do not need special WAN rules to allow return traffic from the web.. right? Same with any interface.