Unable to access additional subnets on Server side from Remote office.
-
I've searched already and still unable to solve this. I must be missing something simple.
We're running v.2.2.1 on both routers. We only have a main office and a small remote site. OpenVPN site-to-site has already been configured and working; I'm able to ping the routers from both ends.
The main office is on a 10.0.0.0/16 network and the remote office is on 10.1.1.0/24. I want the remote office (10.1.1.0/24) to be able to access the servers/machines/resources that are in all the subnets at the main office (e.g. 10.0.1.100, 10.0.127.10, 10.0.1.111)
Where/how do I enter routes properly? Under "Advanced Configuration" in the OpenVPN setting, I've tried to add "route 10.0.1.0 255.255.255.0" on both server side and client side but it's not working.
-
When you setup the Open-VPN you specify the remote networks within Open-VPN. Also make sure you look at your rules and allow the traffic. Other than doing that you should be good to go.
-
That's what I had figured too but I must be missing something. Ports are open and set to any/any.
Server side:
Client side
-
Uh… your tunnel is inside the /16. Please, sanitize your network design. Very much doubt you have 65K hosts. And while at it, stay totally out of 10.0.0.*
-
Uh… your tunnel is inside the /16. Please, sanitize your network design. Very much doubt you have 65K hosts. And while at it, stay totally out of 10.0.0.*
Yes, aware of that. It was inherited when I joined and will be scrubbed once we migrate to a new location in the near future.
-
Well, it needs to be fixed NOW. It will not work. Either fix the /16 or move the tunnel to some other RFC1918 range.
-
You really just need to change the tunnel network to some private IP space different from any of your other private LAN subnets - 2 minutes, simple.
I wish people would also think when setting up these things, rather than just clicking and entering exactly what they see in some on-line guide!
I have some code in progress to try and prevent this, so it will give a validation error if you try to save an OpenVPN with a tunnel network that overlaps any other network. -
That sounds like a nice "dummy proofing" patch. I sometimes start going cross-eyed when staring at my lists of subnets for all the various tunnels / VLANs / etc. I often make use of a handy tool called subnetcalc to check for overlapping IP ranges. If you're on a Mac and use Homebrew it's available via brew install subnetcalc
