Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    second OpenVPN server does not route

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Laplacian
      last edited by

      I just set up my first OpenVPN server (remote access TLS +auth, TLS handshake, layer 3 tunnel, etc.) and it works well. I have my VPN clients in a 172.16.200.0/24 network and allow connectivity back to various 192.168.x.x/24 networks at home. I have a WAN FW rule that allows access via port 1194 and an OpenVPN FW rule that allows the 172.16.200.x clients to go where they need to go. Split and full tunnel work appropriately.

      However, I can't seem to get my second OpenVPN server to work. First, I copied the first working server (by clicking the copy button in the GUI). The only difference in this server is that it uses port 1195 and a client network of 172.16.210.0/24. I added the corresponding WAN and OpenVPN FW rules.

      My client can connect to the second server and get an IP in the appropriate network, but I cannot route anywhere locally or remotely (in split or full tunnel mode). System logs show that the client is hitting DNS at UDP/172.16.210.1 often, but nothing else.

      What am I missing? Is there something that I need to do to ensure my clients can route?

      R 1 Reply Last reply Reply Quote 0
      • R
        rcoleman-netgate Netgate @Laplacian
        last edited by

        @laplacian said in second OpenVPN server does not route:

        I have a WAN FW rule that allows access via port 1194

        @laplacian said in second OpenVPN server does not route:

        this server is that it uses port 1195

        Are you 100% certain?

        @laplacian said in second OpenVPN server does not route:

        My client can connect to the second server and get an IP in the appropriate network, but I cannot route anywhere locally or remotely (in split or full tunnel mode).

        What are the IPv4 network settings at in the server?

        Screen shots are good here - they can't give partial information (unless you crop).

        Ryan
        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
        Requesting firmware for your Netgate device? https://go.netgate.com
        Switching: Mikrotik, Netgear, Extreme
        Wireless: Aruba, Ubiquiti

        1 Reply Last reply Reply Quote 0
        • L
          Laplacian
          last edited by

          OpenVPN server 1:
          port 1194 (default)
          VPN client network at 172.16.200.0/24
          everything routes appropriately

          OpenVPN server 2:
          port 1195
          VPN client network at 172.16.210.0/24
          does not seem to route

          Both have "Dynampic IP" checked under Client settings, both have "Subnet -- One IP address per client in a common subnet" selected under Topology.
          585a2c8c-b50f-4a2d-ae71-5fada027ad99-image.png

          working server 1:
          3736566f-9f24-491a-a090-c32c3eadb6d9-image.png

          non-working server 2:
          a77f520a-dd60-461f-9fc1-f28af78a4fa1-image.png

          WAN rules:
          98ede280-426d-4ed4-8c26-51bdbbc68615-image.png

          OpenVPN rules:
          a551024d-63a7-4558-8dd4-5786d81c0137-image.png

          Here are a couple of lines from my system log. I connected, then attempted to resolve the weg GUI of my printer which is at 192.168.31.1. I see a log entry for that and I see one for DNS. However, my client was never able to resolve the printer web GUI or any other IP I gave it in my browser.
          4ffa1b38-16de-4061-9914-e0461a4a04aa-image.png

          GertjanG R 2 Replies Last reply Reply Quote 0
          • GertjanG
            Gertjan @Laplacian
            last edited by

            @laplacian

            Some tests :
            When you disable "server 2", and edit server 1, change port 1194 UDP to 1195 UDP, does server 1 behaves correctly on port 1195 UDP ?

            And the other way around : disable server 1, edit server 2, shift port 1195 UDP to 1194 UDP : doe sit work now ?

            For both test, export a temporary client config.
            Compare also the client config files for differences. Only port and certs should differ.

            This :

            7eb29887-51ca-43dd-ae26-32c4cabf1724-image.png

            looks fine : traffic is coming in.

            You the console access and compare the server config files.
            You'll find theme here :
            /var/etc/openvpn/server1/
            and
            /var/etc/openvpn/server2/

            Both folders will contain a config.ovpn file : compare them.

            Did you instantiate both "Openvpn" interface ? (go to Interfaces => assignment and create an interface. Put the firewall rules on these instantiated interfaces, double check that the resolver listens also on these interfaces for dns conditionality)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            L 2 Replies Last reply Reply Quote 0
            • R
              rcoleman-netgate Netgate @Laplacian
              last edited by

              @laplacian said in second OpenVPN server does not route:

              However, my client was never able to resolve the printer web GUI or any other IP I gave it in my browser.
              8a2c1ef0-2e7f-4f63-97b1-fb681909feea-image.png

              Did you give access to a specific port to a specific path? If you want to do that the source port MUST be "ANY".

              Ryan
              Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
              Requesting firmware for your Netgate device? https://go.netgate.com
              Switching: Mikrotik, Netgear, Extreme
              Wireless: Aruba, Ubiquiti

              1 Reply Last reply Reply Quote 0
              • L
                Laplacian @Gertjan
                last edited by

                @gertjan said in second OpenVPN server does not route:

                When you disable "server 2", and edit server 1, change port 1194 UDP to 1195 UDP, does server 1 behaves correctly on port 1195 UDP ?
                And the other way around : disable server 1, edit server 2, shift port 1195 UDP to 1194 UDP : doe sit work now ?

                Server 1 on port 1195 did work. Server 2 on port 1194 did not work.
                By "not work", I mean the same as before: it connects, gets an IP, but can't connect to any local or remote server/app. Logs show connections attempts to DNS 53 and some of my internal IPs.
                (Previously, I had server 1 on 1194 and server 2 on 1195.)

                @gertjan said in second OpenVPN server does not route:

                Compare also the client config files for differences. Only port and certs should differ.

                Actually, I just re-used the same cert and user for the configs. Here is the only diff in the files:
                8d8ebda8-fce2-44e4-b070-c1c7fbe578f4-image.png

                @rcoleman-netgate said in second OpenVPN server does not route:

                Did you give access to a specific port to a specific path? If you want to do that the source port MUST be "ANY".

                Not sure what you mean here...I included screenshots of my WAN and OpenVPN rules in a post above. On WAN, I am allowing any/any to WAN address/port 1195.

                @gertjan said in second OpenVPN server does not route:

                Did you instantiate both "Openvpn" interface ? (go to Interfaces => assignment and create an interface. Put the firewall rules on these instantiated interfaces, double check that the resolver listens also on these interfaces for dns conditionality)

                No, I did not. Is that necessary? Maybe that's my issue...let me check that.

                R 1 Reply Last reply Reply Quote 0
                • L
                  Laplacian @Gertjan
                  last edited by

                  @gertjan said in second OpenVPN server does not route:

                  Did you instantiate both "Openvpn" interface ? (go to Interfaces => assignment and create an interface. Put the firewall rules on these instantiated interfaces, double check that the resolver listens also on these interfaces for dns conditionality)

                  Okay, just did that. Now neither one of my servers work. I have 1 allow any rule on the OpenVPN server 1 interface, 1 allow any rule on the server 1 interface, and no rules on the auto-generated OpenVPN tab.

                  L 1 Reply Last reply Reply Quote 0
                  • R
                    rcoleman-netgate Netgate @Laplacian
                    last edited by

                    @laplacian said in second OpenVPN server does not route:

                    Not sure what you mean here...I included screenshots of my WAN and OpenVPN rules in a post above. On WAN, I am allowing any/any to WAN address/port 1195.

                    d1c2eb10-151c-4b78-a1e7-38f272169ef5-image.png
                    this indicates otherwise.

                    Ryan
                    Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                    Requesting firmware for your Netgate device? https://go.netgate.com
                    Switching: Mikrotik, Netgear, Extreme
                    Wireless: Aruba, Ubiquiti

                    L 1 Reply Last reply Reply Quote 0
                    • L
                      Laplacian @rcoleman-netgate
                      last edited by

                      @rcoleman-netgate said in second OpenVPN server does not route:

                      this indicates otherwise.

                      How so? Those log entries show a device with an IP in my VPN client range connecting to DNS and to my printer. Those two connections are both in RFC1918 space, private LAN-LAN, essentially. The external WAN rules are posted above and show any/any to 1195.

                      1 Reply Last reply Reply Quote 0
                      • L
                        Laplacian @Laplacian
                        last edited by

                        @laplacian said in second OpenVPN server does not route:

                        Okay, just did that. Now neither one of my servers work. I have 1 allow any rule on the OpenVPN server 1 interface, 1 allow any rule on the server 1 interface, and no rules on the auto-generated OpenVPN tab.

                        @Gertjan
                        Oops, I spoke too soon. Netgate documentation says you have to restart the servers after creating new interfaces. When I did that, I'm back to square 1: server 1 works as expected and server 2 (port 1195) does not seem to route.

                        I also did a diff of the server configs. The only things that differ are the port numbers and the interface IPs:
                        0d754854-45e5-4a95-91aa-42eb5e777838-image.png

                        The routing seems normal:
                        ae475855-da58-4802-8e8a-e0f19bd11152-image.png

                        Thanks for the tips so far, but is there anything else I can audit or compare between the two? This is really strange (and frustrating...)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.