Site to Site VPN with two networks on one end



  • Hey there,

    I read a lot in this forum but did not find the right answer.

    Site-A: 10.0.13.0/27 (Server)
    Site-B: 192.168.3.0/24 and 192.168.238.0/24 (Client)

    The Server is configurated like this and of couse with a PKI:

    IPv4 Tunnerl                :  10.2.8.0/24
    IPv4 Local Network      :  10.0.13.0/27
    IPv4 Remote Network  :  192.168.3.0/24, 192.168.238.0/24
    Connections                :  10

    Consistent to the clinet cert. I did two iroutes:

    iroute 192.168.3.0 255.255.255.0; iroute 192.168.238.0 255.255.255.0;

    Add the client site I configered the just the cert. and the following points:

    IPv4 Tunnel                  :10.2.8.0/24
    IPv4 Remote Network  : 10.0.13.0/27

    So everything seems to be right. But now traffiks goes throu the tunnel from the server site.
    If I delete the second network from the iroute and from the server site "IPv4 Remote Network" the network 192.168.3.0/24 is reachable from the server site.

    Any ideas?

    Cheers
    Christian




  • why not just remove the iroutes ?



  • Hi heper,

    because I would like to use this OpenVPn Server for mor then one destination. This is just the first on and I hope to get more then 20 other destinations connected.

    Cheers
    Christian


  • LAYER 8 Netgate

    What you have seems like it should work.  You'll probably have to look at the routing tables to see what's not right.

    Your system routing table Diagnostics > Routes should show you which system routes are being sent to the OpenVPN server. With both iroutes configured and the VPN connected, when you look at Status > OpenVPN you should see a button called Show Routing Table.  That should show your iroutes.

    There are also firewall rules in play at both the client and server sides.  The client will not be able to make connections to the local networks on the server without the proper OpenVPN firewall rules.  The server will not be able to make connections to the client networks without appropriate OpenVPN firewall rules on client.

    Additionally, if you have control over how these remote sites are configured it would make sense to put all their local networks in the same supernet.

    You would configure your server with:

    Remote Networks: 192.168.64.0/19

    Then do the following in client-specific overrides:

    Site 1: iroute 192.168.64.0 255.255.255.0;

    Site 2: iroute 192.168.65.0 255.255.255.0;

    Site 3: iroute 192.168.66.0 255.255.255.0;

    Site 4: iroute 192.168.67.0 255.255.255.0;

    Site 5: iroute 192.168.68.0 255.255.255.0;

    Site 6: iroute 192.168.69.0 255.255.255.0;

    Site 7: iroute 192.168.70.0 255.255.255.0;

    etc.



  • Hi Derelict,

    thanks for your suggestions. I will test it that way. But is it allso possible to get twi networks routed to on location? I guess yes.

    Site 1: iroute 192.168.64.0 255.255.255.0; iroute 192.168.65.0 255.255.255.0;

    Site 2: iroute 192.168.66.0 255.255.255.0;

    Site 3: iroute 192.168.67.0 255.255.255.0;

    ans so on.

    Thanks
    Christian


  • LAYER 8 Netgate

    Yes.  That should work fine.  Like I said, leave both iroutes enabled and check the routing tables after they connect.


Log in to reply