Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to access additional subnets on Server side from Remote office.

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 5 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rivets
      last edited by

      I've searched already and still unable to solve this. I must be missing something simple.

      We're running v.2.2.1 on both routers. We only have a main office and a small remote site. OpenVPN site-to-site has already been configured and working; I'm able to ping the routers from both ends.

      The main office is on a 10.0.0.0/16 network and the remote office is on 10.1.1.0/24. I want the remote office (10.1.1.0/24) to be able to access the servers/machines/resources that are in all the subnets at the main office (e.g. 10.0.1.100, 10.0.127.10, 10.0.1.111)

      Where/how do I enter routes properly? Under "Advanced Configuration" in the OpenVPN setting, I've tried to add "route 10.0.1.0 255.255.255.0" on both server side and client side but it's not working.

      1 Reply Last reply Reply Quote 0
      • M
        mikeisfly
        last edited by

        When you setup the Open-VPN you specify the remote networks within Open-VPN. Also make sure you look at your rules and allow the traffic. Other than doing that you should be good to go.

        1 Reply Last reply Reply Quote 0
        • R
          rivets
          last edited by

          That's what I had figured too but I must be missing something. Ports are open and set to any/any.

          Server side:

          Client side

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Uh… your tunnel is inside the /16. Please, sanitize your network design. Very much doubt you have 65K hosts. And while at it, stay totally out of 10.0.0.*

            1 Reply Last reply Reply Quote 0
            • R
              rivets
              last edited by

              @doktornotor:

              Uh… your tunnel is inside the /16. Please, sanitize your network design. Very much doubt you have 65K hosts. And while at it, stay totally out of 10.0.0.*

              Yes, aware of that. It was inherited when I joined and will be scrubbed once we migrate to a new location in the near future.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Well, it needs to be fixed NOW. It will not work. Either fix the /16 or move the tunnel to some other RFC1918 range.

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  You really just need to change the tunnel network to some private IP space different from any of your other private LAN subnets - 2 minutes, simple.
                  I wish people would also think when setting up these things, rather than just clicking and entering exactly what they see in some on-line guide!
                  I have some code in progress to try and prevent this, so it will give a validation error if you try to save an OpenVPN with a tunnel network that overlaps any other network.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • luckman212L
                    luckman212 LAYER 8
                    last edited by

                    That sounds like a nice "dummy proofing" patch. I sometimes start going cross-eyed when staring at my lists of subnets for all the various tunnels / VLANs / etc.  I often make use of a handy tool called subnetcalc to check for overlapping IP ranges. If you're on a Mac and use Homebrew it's available via brew install subnetcalc

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.