Three node setup (2 sat, one main office) - 2 sat cannot connect to each other
I have just setup an extra sat to connect to an already existing 'main office -> sat' openvpn network,
it works well and the sat's can connect to the main office without problems,
the problem is I cannot get the sat's to communicate between eachother, i.e. one sat cannot connect to a server at the other sat's location,
it is an shared key setup where;
sat1 (192.168.3.1/24) <–--> ((10.0.8.0/24)) <----> main office (192.168.1.1/24) <----> ((10.0.7.0/24)) <----> sat2 (192.168.2.1/24)
the two ((10.0.X.0/24)) can maybe be ignored, as I understand it's only over the actual vpn they are used,
I have pf 2.1 and setup two ovpn server instances to handle the incoming connects at the main office, and I have the correct (I think) IPv4 Remote Network/s filled in at the client ends of the connect (meaning no need for the 'route xxxxx' in custom/advanced settings at the bottom with pf 2.1)
I suspect I need to add something missing in the manual NAT in the main server, but I experimented a lot and cannot
get traffic to flow (is this even possible with shared key setup?),
(also if I add somehting under manual nat, what interface should I select)
You do not need any NAT. On sat1 Remote Network/s just list the subnets at main office and sat2. Similar scheme at sat2.
Make sure you have rules on OpenVPN tab everywhere that allows traffic incoming from the various subnets, and outgoing to the subnets further along the chain. The easy way to get going is to allow all on OpenVPN and get it working - then you can tighten rules and you know when you tighten them too much.
ok I think I got it working, I had the above settings - as recommended by phil - and
it turns out you need some NAT rules (firewall-nat-(manual)outbound) and add an entry:
select 'openvpn' as interface and 'from all' 'to all'
or in my case I narrowed it down to
from 10.0.7.0/24 to 192.168.2.0/24 and another entry 10.0.8.0/24 to 192.168.1.0/24 respectively (openvpn interface)
I did a traceroute from sat1 to sat2 and it timed out at 10.0.7.1 so tested with the nat rule,
I might have swapped the .7. and .8. but you get the idea…
now in a perfect world: how to route all internet traffic out of the main office's connection...