OpenVPN Site-to-Site always using first tunnel address as routing gateway

[jmarner]

I have an OpenVPN server set up in one location, and 2 remote sites that I am trying to set up a site-to-site with.

Server Settings:
Tunnel Network: 10.x.x.0/24
Local Network: 192.168.x.0/24
Remote Network: 192.168.y.0/24,192.168.z.0/24

Client Specific Overrides:
Client Y:
Tunnel Network:
Local Network:
Remote Network: 192.168.y.0/24

Client Z:
Tunnel Network:
Local Network:
Remote Network: 192.168.z.0/24

OpenVPN Connection Status:
Laptop Virtual Address: 10.x.x.2
Client Y Virtual Address: 10.x.x.3
Client Z Virtual Address: 10.x.x.4

However, when I look at the routing table, I see the following:
Destination: 192.168.y.0/24 Gateway: 10.x.x.2 (wrong, should be .3)
Destination: 192.168.z.0/24 Gateway: 10.x.x.2 (wrong, should be .4)

This is despite the fact that neither one of them use 10.x.x.2 as their ip address. If I FORCE one of the remote sites to use 10.x.x.2 (using "ifconfig-push 10.x.x.2 255.255.255.0"), it works for that one. But of course I cannot force both of my Sites to use the same tunnel address. I have also tried overriding the tunnel address but that doesn't work either.

This seems like it has to be a bug. Either the route builder is pulling the ip address from the wrong place, or it should be routing those subnets to the OpenVPN server at 10.x.x.1 instead to hand off routing.

[Hoe]

I thnk it's the way you have your tunnels setup based on info provided, this is my site to site config for Wireguard, working well...

VPN Destination Server
Tunnel Address:   10.8.0.1/24

VPN Client 1
Tunnel Address:   10.8.0.2/32

VPN Client 2
Tunnel Address:   10.8.0.3/32

Notice how the subnet is /32 on the clients meaning they only get 10.8.0.2 or whatever you list there.

In my case my home LAN 10.0.0.0/24 is on Client 1, so I have the following in Allowed IP's...

Endpoint on VPN Server for Client 1: 10.8.0.2/32 + 10.0.0.0/24
-This allows both the Client VPN IP and the Home Network connected too it to be routed.

Endpoint on VPN Server for Cleint 2: 10.8.0.3/32
-This is a mobile and doesn't need to route any additional networks but does need it's own VPN Client IP.

Hope this helps.

Oh, you may also need to manually create Gateways, so for example my home router (Client 1) has the following Gateway...

10.8.0.2
Which is that firewall's VPN IP, you then need to make sure your firewall \ nat rules are setup correctly.

*Mind you I just realised you are using OVPN and not WireGuard so this may not apply quite so well sorry.

[jmarner]

This isn't quite what my setup is. I have two different networks in addition to the main one. I can make your setup work by forcing the one remote network to have the x.x.x.2 address, and letting the other mobile clients just take the higher ips. The problem is when I want to route a third subnet to a different vpn client ip.

Also yes I am using OpenVPN and not WireGuard, so it's possible that this is an OpenVPN-specific bug. But honestly it could be common across both, because your setup described seems like you're only routing to 10.8.0.2/32 which always works for me.