Routing Problem

onetwo

Hello,

I need your help on the routing part please.

I have three sites interconnected in OpenVPN, Site1 Site2 and Site3.
Site1 is able to join Site2 and I would like it to be able to join Site3's LAN as well.
Site3 successfully joins Site1.

I have an Outbound NAT (Site3 To Site1) on Site2 that causes Site3 to reach Site1.
And Outbound NAT (Site1 To Site3) so that Site1 can reach Site3 but it doesn't work.

viragomann

@onetwo said in Routing Problem:

I have an Outbound NAT (Site3 To Site1) on Site2 that causes Site3 to reach Site1.

Outbound NAT is a workaround in case, you have the same subnet on two sites or if you need to access a device that has no default gateway setting.
Otherwise you should better route the traffic to the remote sites.

With outbound NAT you see only the routers IP on the destination device, no matter which IP is accessing it.

And Outbound NAT (Site1 To Site3) so that Site1 can reach Site3 but it doesn't work.

If you want it do it this way, you need the rule rather at site 2.

onetwo

@viragomann

I'm having trouble finding why it doesn't work in the direction Site1 -> Site3 while it works in the direction Site3 -> Site1

I have similar routes on Site1, Site2 and Site3 but however Site1 cannot reach Site3

@viragomann said in Routing Problem:

If you want it do it this way, you need the rule rather at site 2.

What route are you thinking of adding to make it work?

Thank you.

viragomann

@onetwo said in Routing Problem:

I'm having trouble finding why it doesn't work in the direction Site1 -> Site3 while it works in the direction Site3 -> Site1

It's not clear to me, where you've set which NAT rule. None of the rules you've posted above is applied to the site 3 LAN.

onetwo

@viragomann

The NAT rules below created on Site2 and apply to Site3.

viragomann

@onetwo
And 172.31.32.1 is the OpenVPN servers IP of site 2? The values in the drawing above are confusing.

onetwo

@viragomann

Site3 is the client of OpenVPN Server Site2 and 172.21.0.1 is IP of OpenVPN client interface "ovpnc1" of Site3

viragomann

@onetwo
Outbound NAT doesn't work this way. You need to translate the source to the servers IP.

onetwo

@viragomann I think it's the route problem, but I can't find what route I need to add to make it work

viragomann

@onetwo
I tried to tell you that one of your outbound NAT rules is wrong.
But anyway, the whole configuration seems crappy to me. Remove the outbound NAT rules on site 2 and set proper routes.
On site 1 simply route the traffic for sites 2 and 3 to 2 and on site 3 route 1 and 2 to 2.

There is no need to nat anything if all VPN endpoints are the default gateways in their local networks and if the routes are configured properly.

onetwo

@viragomann it's already the case, on Site 1 et Site 2 i have already the routes
And if I disable NAT on Site 2, it doesn't matter, Site 1 still can't reach Site 3

Routes Site 1

Routes Site 2