Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Three node setup (2 sat, one main office) - 2 sat cannot connect to each other

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 863 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hero
      last edited by

      Hi,
      I have just setup an extra sat to connect to an already existing 'main office -> sat' openvpn network,
      it works well and the sat's can connect to the main office without problems,

      the problem is I cannot get the sat's to communicate between eachother, i.e. one sat cannot connect to a server at the other sat's location,

      it is an shared key setup where;

      sat1  (192.168.3.1/24)  <–--> ((10.0.8.0/24)) <----> main office (192.168.1.1/24) <----> ((10.0.7.0/24)) <----> sat2 (192.168.2.1/24)

      the two ((10.0.X.0/24)) can maybe be ignored, as I understand it's only over the actual vpn they are used,

      I have pf 2.1 and setup two ovpn server instances  to handle the incoming connects at the main office, and I have the correct (I think) IPv4 Remote Network/s filled in at the client ends of the connect (meaning no need for the 'route xxxxx' in custom/advanced settings at the bottom with pf 2.1)

      I suspect I need to add something missing in the manual NAT in the main server, but I experimented a lot and cannot
      get traffic to flow (is this even possible with shared key setup?),

      (also if I add somehting under manual nat, what interface should I select)

      thanks!

      /H

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        You do not need any NAT. On sat1 Remote Network/s just list the subnets at main office and sat2. Similar scheme at sat2.
        Make sure you have rules on OpenVPN tab everywhere that allows traffic incoming from the various subnets, and outgoing to the subnets further along the chain. The easy way to get going is to allow all on OpenVPN and get it working - then you can tighten rules and you know when you tighten them too much.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • H
          Hero
          last edited by

          ok I think I got it working, I had the above settings - as recommended by phil - and
          it turns out you need some NAT rules (firewall-nat-(manual)outbound) and add an entry:
          select 'openvpn' as interface and 'from all' 'to all'

          or in my case I narrowed it down to
          from 10.0.7.0/24 to 192.168.2.0/24 and another entry 10.0.8.0/24 to 192.168.1.0/24 respectively (openvpn interface)

          I did a traceroute from sat1 to sat2 and it timed out at 10.0.7.1 so tested with the nat rule,

          I might have swapped the .7. and .8. but you get the idea…

          now in a perfect world: how to route all internet traffic out of the main office's connection...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.