Openvpn to access more than one subnets

bthoven

I've just created a new subnet (192.168.3.xx) for my iot device, in addition to my existing one (192.168.2.xx). My .2.xx devices can access .3.xx devices; but not vice versa (to protect my .2.xx devices from iot devices.

My Openvpn server allows me remote access all devices in the 192.168.2.xx and 192.168.3.xx subnets, except my AP (192.168.3.254)

My question is how I modify my Openvpn server setup to allow me to remote access both .2.xx and .3.xx.

Thank you.

update: the right subject should be "I can't access my new Access Point from a different subnet". It's solved now by defining gateway and dns server ip on my new AP.

chpalmer

What do your OpenVPN firewall rules look like?

bthoven

here it is

KOM

You need to edit your OpenVPN Server instance. Go to Tunnel Settings - IPv4 Local network(s) and add your 192.168.3.0/24 network there.

bthoven

@KOM said in Openvpn to access more than one subnets:

You need to edit your OpenVPN Server instance. Go to Tunnel Settings - IPv4 Local network(s) and add your 192.168.3.0/24 network there.

Thanks. My tunnel settings already force all ipv4.
Sorry, my .2.xx devices can access all .3.xx devices, except the Access Point (OpenWrt, 192.168.3.254) web admin page, ping from .2.xx failed. It could be any setting I need to adjust on the AP?

KOM

Your AP may only respond to traffic from its local network. You can check by doing a packet capture on your IOT interface while pinging the AP and see if the ping packets are leaving the IOT interface for the AP.

bthoven

Here are the packet capturing on my IOT interface when I'm on 192.168.2.9.

When I ping 192.168.3.24, which is successful:

When I ping 192.168.3.254, which is time-out.

Please bear with me. I'm still learning all these.

KOM

OK, that tells you that the packets are leaving the IOT interface. The unit you're pinging isn't responding.

chpalmer

Look at the LAN settings on your AP. Are they correct?

With OpenVPN the server already knows its local addresses. Nothing to change there. Usually changes for the server side happen on the client side. and visa versa.

Show your IOT interface rules.

bthoven

Thanks. If I replace my Openwrt AP with my Tenda stock firmware AP, I can access it! It seems to be some setting is needed on my Openwrt AP. Any idea what could it be?

update: ok now. I did not set gateway and dns ip to be 192.168.3.1 on my AP

chpalmer

:)

Gateway and subnet are important.

For a device to reply it has to know how to.

Gateway- any address outside of the device subnet goes here.

subnet- how big is my subnet range anyways? When must I forward my requests though the gateway address?

bthoven

Thanks. I did not specify it because when I installed my first AP, I didn't have to.

Networking is not my area and I learned a lot from you guys here. Installing PfSense forced me to have more hand-on experience on networking.