I am able to reach server side IPs from the client side but can't reach client network devices from the server side.
The server and client are both running Opnsense.
Traceroute from the server network never gets beyond the server Opnsense router.
The client network is 192.168.1.0.
Relevant netstat -rn info from the server:
Destination Gateway Flags Netif Expire
10.0.8.0/24 10.0.8.2 UGS ovpns1
10.0.8.2 link#20 UH ovpns1
192.168.1.0/24 10.0.8.2 UGS ovpns1
Configuration screenshots attached.
client config screenshots:
You need a Client Specific Override in VPN: OpenVPN: Client Specific Overrides
Choose the server and enter the client name as is shown as "common name" in VPN: OpenVPN: Connection Status
Enter local and remote network (additonally to those you already have in the main server config).
Even though your routing table is showing that the OPNsense knows the routes, the OpenVPN daemon doesn't know to which client this remote network belongs. Therefore a client specific override is needed.
Thanks again for helping.
I had the client name incorrect and have fixed that. When the client isn't forced to send all traffic via the gateway, it can only reach the remote network with a nat rule. I think maybe because of that, the remote network can't reach the client network.
Is there some misconfiguration or other issue that could cause this problem?
I just realised that with no nat, I can reach the remote network/s from the client server itself ok - ssh, ping etc.
Other systems on the client network are unable to reach the remote network with the nat rule disabled.
On the client side network: is the OPNsense the default gateway?
Same on the server side: is the OPNsense the default gateway?
Please show screenshots of:
System: Routes: Status of both boxes.
Server side:
Network devices --> OPNsense --> FTTC modem --> Internet
Client side:
Network devices --> Opnsense --> FTTC modem --> Internet
|--Pi-Hole DNS
Screenshots:
The output from the server was ridiculously long to screenshot, so I did it via netstat instead.
client:
There should not be any NAT involved. Why do you have a NAT rule on the client side screenshot on the OpenVPN?
Please show a current screenshot of server side OpenVPN server config and Client-Specific-Override with the correct "common name"
And a screenshot of VPN: OpenVPN: Connection Status of the server side.
There should be an arrow pointing down saying something like: OVPN UDP4:1194 Routing Table (the name can be different). Click on the arrow to expand the routing table and include in the screenshot.
Without NAT, only the client OPNsense router can access the remote network/s. With the rule enabled, other network devices can also access the remote network/s.
OpenVPN Server config screenshots:
continued...
Client-Specific-Override:
openvpn status:
You have something weird in you OpenVPN server config. Have a look at local and remote network and then have a look at local and remote network again in client-specific override. Why do they not match? They should.
Remote is always 192.168.1.0/24 in your case. And local are the local networks of the server side.
You're right. The wording on the details at the client side threw me. I've fixed this and it is now working perfectly after a reboot. Thanks very much for helping!