Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to Site VPN with two networks on one end

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cherzberg
      last edited by

      Hey there,

      I read a lot in this forum but did not find the right answer.

      Site-A: 10.0.13.0/27 (Server)
      Site-B: 192.168.3.0/24 and 192.168.238.0/24 (Client)

      The Server is configurated like this and of couse with a PKI:

      IPv4 Tunnerl                :  10.2.8.0/24
      IPv4 Local Network      :  10.0.13.0/27
      IPv4 Remote Network  :  192.168.3.0/24, 192.168.238.0/24
      Connections                :  10

      Consistent to the clinet cert. I did two iroutes:

      iroute 192.168.3.0 255.255.255.0; iroute 192.168.238.0 255.255.255.0;

      Add the client site I configered the just the cert. and the following points:

      IPv4 Tunnel                  :10.2.8.0/24
      IPv4 Remote Network  : 10.0.13.0/27

      So everything seems to be right. But now traffiks goes throu the tunnel from the server site.
      If I delete the second network from the iroute and from the server site "IPv4 Remote Network" the network 192.168.3.0/24 is reachable from the server site.

      Any ideas?

      Cheers
      Christian

      OpenVPN-Server.JPG
      OpenVPN-Server.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        why not just remove the iroutes ?

        1 Reply Last reply Reply Quote 0
        • C
          cherzberg
          last edited by

          Hi heper,

          because I would like to use this OpenVPn Server for mor then one destination. This is just the first on and I hope to get more then 20 other destinations connected.

          Cheers
          Christian

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            What you have seems like it should work.  You'll probably have to look at the routing tables to see what's not right.

            Your system routing table Diagnostics > Routes should show you which system routes are being sent to the OpenVPN server. With both iroutes configured and the VPN connected, when you look at Status > OpenVPN you should see a button called Show Routing Table.  That should show your iroutes.

            There are also firewall rules in play at both the client and server sides.  The client will not be able to make connections to the local networks on the server without the proper OpenVPN firewall rules.  The server will not be able to make connections to the client networks without appropriate OpenVPN firewall rules on client.

            Additionally, if you have control over how these remote sites are configured it would make sense to put all their local networks in the same supernet.

            You would configure your server with:

            Remote Networks: 192.168.64.0/19

            Then do the following in client-specific overrides:

            Site 1: iroute 192.168.64.0 255.255.255.0;

            Site 2: iroute 192.168.65.0 255.255.255.0;

            Site 3: iroute 192.168.66.0 255.255.255.0;

            Site 4: iroute 192.168.67.0 255.255.255.0;

            Site 5: iroute 192.168.68.0 255.255.255.0;

            Site 6: iroute 192.168.69.0 255.255.255.0;

            Site 7: iroute 192.168.70.0 255.255.255.0;

            etc.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C
              cherzberg
              last edited by

              Hi Derelict,

              thanks for your suggestions. I will test it that way. But is it allso possible to get twi networks routed to on location? I guess yes.

              Site 1: iroute 192.168.64.0 255.255.255.0; iroute 192.168.65.0 255.255.255.0;

              Site 2: iroute 192.168.66.0 255.255.255.0;

              Site 3: iroute 192.168.67.0 255.255.255.0;

              ans so on.

              Thanks
              Christian

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Yes.  That should work fine.  Like I said, leave both iroutes enabled and check the routing tables after they connect.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.