OPNsense Forum

English Forums => Virtual private networks => Topic started by: Schaefer76 on November 30, 2021, 10:46:45 am

Title: OPENVPN Routing in a Site2Site Network
Post by: Schaefer76 on November 30, 2021, 10:46:45 am
Hello together,

I have a massive problem with a very strange network structure. I hope you can help me.
I just adopted the IT structure and I realize that rebuilding it would be the best solution, but since we are a manufacturing company I can't just change the existing structure. I hope you guys understand.

About the problem:

We have more and more outages in our administration due to Covid-19, so we would like to provide our employees with a VPN.

We already have an OPNSese firewall. And can access our LAN network via OPENVPN. This works without any problems.

But since we have the problem of not finding IT staff in our region, we decided a few years ago to give important software such as ERP system to a Citrix data center.

From the service provider we got a VPN Site2Site Cisco router in our LAN network. All devices in the LAN have this router set as gateway by default via the DHCP setting.

All requests that do not go into the network of the data center are distributed via a route through our OPNSENSE.
Our OpenVPN clients reach LAN clients via ICMP without any problems. But I can't reach the network from the data center.

A static route in this direction is already set on our Opnsense firewall.

A few months ago we used a Synology NAS as OPENVPN server, this had the same IP network for the OPENVPN clients. Unfortunately this NAS is broken and we need a solution.
I hope you can help me.

(https://i.imgur.com/X0mwd3C.png)

Thanks ;)

Title: Re: OPENVPN Routing in a Site2Site Network
Post by: lotzofwork on December 01, 2021, 02:07:03 pm
Hello,

the first thing i noticed is, that the remote network from your cisco router is not a valid private IP address.
The second octet "178" indicates a public IP adress range. Nevertheless a connection should work.

Here some hints from my side:

1) Did you add the 192.178.9.0/29 network to the IPv4 Local Networks for the VPN?
2) Did you create an accepting firewall rule for the VPN-Clients to the remote 192.178.9.0/29 network?
3) Maybe the packets from VPN-Clients are sent, but you donĀ“t get a reply from the remote side, because the source IP from your VPN is 10.0.8.0/24 and the remote side has no backroute set. Control via packet capture and create an outbound NAT rule for your VPN, if this is the problem.
4) Did you try to ping the remote side directly from OPNsense interface? Interfaces -> Diagnostics -> Ping