Site 2 Site OpenVPN Connection working, but I am unable to access Client WAN IP

[rama72]

Dear community,

Am am operating an offsite OPNSense Box connected to the Internet via a 4G Router.
Therefore I cannot manage it via DYNDNS/Portforwarding on the WAN Side.
I´ve set up a 2nd OPNSense instance at home in a virtual machine and initiated a OpenVPN Site-to-Site connection outgoing from the offisite (Client-) OPNSense appliance towards the local OPNSense installation.
In my local environment I have set up a static route for the offsite-LAN, pointing to the WAN IP of the local OPNSense.
With this configuration I can reach the offisite OPNSense Web GUI.

[PC] --> Local OPNSense --> OpenVPN TUN --> [Offsite OPNSense LAN/WebGUI] is OK

But what I can not establish is:

[PC] --> Local OPNSense --> OpenVPN TUN --> [Offsite OPNSense LAN/WebGUI] --> [Offsite 4G Router Web GUI] does not work.

...I have set up the Offsite 4G Router LAN (which is the Offsite OPNSense appliance WAN) subnet in my local environment also as static route and also have set up the Offsite 4G Router LAN (which is the Offsite OPNSense appliance WAN) subnet as additional "IPv4 Remote Network" in the OpnVPN Server settings and added the rule for this subnet in the same manner like I did for the Offsite OPNSense LAN.

Please see attached PDF network drawing to show the situation better.
In Short words, referring to the drawing:
Web GUI of OPNSense appliance configured as OpenVPN-Client can be reached from OpenVPN-Server´s LAN.
Web GUI of the 4G Router "behind" OpenVPN-Client (OPNSense appliance) is not reachable through the OpenVPN tunnel from OpenVPN Server´s LAN.

[Demusman]

192.169.1.0/24 is not a private network. Change it.
192.168.2.0/24 for instance.

[rama72]

Ooops

192.169.1.0/24 is not a private network. Change it.
192.168.2.0/24 for instance.

....sorry, this is correct. I have fixed this and now the WAN of the offsite box is 172.25.30.0/24.
The problem described in my original post has not been solved.
See my attached updated network drawing.

[Demusman]

Assuming you can access the 4g router from the client LAN. On the client side, add the tunnel network as a remote network in OpenVPN config.

[rama72]

Assuming you can access the 4g router from the client LAN. On the client side, add the tunnel network as a remote network in OpenVPN config.

Hey Demusman, thank you again for your help. I already did this. In the OpenVPN Server settings I´ve included the "Offsite" LAN (192.168.1.0/24 and the WAN 172.25.30.0/24).
Do you mean it is necessary to add the 172.25.30.0/24 to the client OpenVPN config as "remote network" ?

[Demusman]

Yes.
The remote site wouldn't know to route the 4g network back over the vpn.

You can test this by running a packet capture on the remote side and pinging the 4g router from the local side.
You'll see the requests but no replies.

[rama72]

I´ve tried this out:
I´ve added in the "Offiste" to the OpenVPN Client settings the "Offsite WAN network 172.25.30.0/24" as "IPv4 Remote Network". The behaviour is still the same:

[PC] --> Local OPNSense --> OpenVPN TUN --> [Offsite OPNSense LAN/WebGUI] is OK

But what I can not establish is:

[PC] --> Local OPNSense --> OpenVPN TUN --> [Offsite OPNSense LAN/WebGUI] --> [Offsite 4G Router Web GUI] does not work.

[Demusman]

Not the wan, the tunnel. 10.10.0.0/24

[rama72]

This is of course already done. Otherwise the tunnel would not get estabblished, right?
I mean 10.10.0.0/24 is set up as "IPv4 Tunnel Network".

I think there needs something set up in the NAT settings....but not sure....

[Demusman]

Just do it. It'll work.