openvpn point to point one remote site of 3 connects won't route traffic

itinfo

I have a host OpenVPN server: 10.10.30.16 - 10.10.30.0/24
with four sites:

A: 10.10.60.254 - 10.10.60.0/24
B: 10.10.70.1 - 10.10.70.0/24
C: 10.10.50.10 -10.10.50.0/24
D: 192.168.11.1 - 192.168.11.0/24

A,B & D work as expected. I can communicate to/from with no problems.

C: is new. It connects to the Server OpenVPN very well - no errors in the logs, etc. . However, I cannot communicate to/from 10.10.50.x to 10.10.30.x.

I've compared the routing tables between A, B and C and they appear equal.
I have read all the trouble shooting guides on this issue, here in the forum, in the Netgate support site, and those posted when you use a search engine. Tried many of the suggestions with no luck.

The tunnel network for all sites is: 10.0.4.0/24 - port 1197

As of this writing the C: network is connected as 10.0.4.4 to the server 10.0.4.1.

I can connect to the Netgate interface from a workstation: (10.10.30.19) to 10.0.4.4 with no issues.

If I tracert from 10.10.30.19 to any of the sites, the tracert stops at the server - 10.10.30.16

I checked for subnet issues, routes, firewall rules, etc.

Looking for any ideas: most likely a routing issue, but this one is not obvious when compared to the other 3 sites that are working.

viragomann

@itinfo
From the C client device itself try to ping the server IP 10.0.4.1. If this works try its LAN IP 10.10.30.16 and then a device in the LAN, which responses to pings from outside.

itinfo

@viragomann

From c: 10.0.4.4
PING
Destination:
10.0.4.1 - success - router tunnel network
10.10.30.16 - success - router
10.10.30.19 - success - workstation

Thanks

viragomann

@itinfo
Well. If you want to enable the clients LAN subnet to communicate with the server sides LAN or other remote sites, you have to create a Client Specific Override on the server.
But this applies as well to the other clients.

itinfo

@viragomann

In my career as a consultant, we have a phrase that we use when we were talking to the office:

PICNIC.

This was code when asked: How is it going?

Answer: PICNIC: Problem in Chair not in Computer.

Well today I had a PICNIC, and thanks to you, I reviewed the existing Client Override for Site C side-by-side against Site B, and voila!

I had put the IP information (10.10.50.0/24) in the IPv4 Local Network/s, when it was supposed to be in the IPv4 Remote Network/s.

An update on the Server Client-Specific-Override for C, and a restart of Client C, and all is working.

Thanks a million.

viragomann

@itinfo

PICNIC

I'm glad, that it was as simple to resolve.