Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
OpenVPN Site to Site - Can't reach client network from server network
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN Site to Site - Can't reach client network from server network (Read 5152 times)
windswept321
Newbie
Posts: 34
Karma: 1
OpenVPN Site to Site - Can't reach client network from server network
«
on:
December 03, 2020, 01:47:40 am »
I am able to reach server side IPs from the client side but can't reach client network devices from the server side.
The server and client are both running Opnsense.
Traceroute from the server network never gets beyond the server Opnsense router.
The client network is 192.168.1.0.
Relevant netstat -rn info from the server:
Destination Gateway Flags Netif Expire
10.0.8.0/24 10.0.8.2 UGS ovpns1
10.0.8.2 link#20 UH ovpns1
192.168.1.0/24 10.0.8.2 UGS ovpns1
Configuration screenshots attached.
Logged
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #1 on:
December 03, 2020, 01:48:41 am »
client config screenshots:
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #2 on:
December 03, 2020, 08:45:56 am »
You need a Client Specific Override in VPN: OpenVPN: Client Specific Overrides
Choose the server and enter the client name as is shown as "common name" in VPN: OpenVPN: Connection Status
Enter local and remote network (additonally to those you already have in the main server config).
Even though your routing table is showing that the OPNsense knows the routes, the OpenVPN daemon doesn't know to which client this remote network belongs. Therefore a client specific override is needed.
Logged
„The S in IoT stands for Security!“
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #3 on:
December 05, 2020, 03:36:23 pm »
Thanks again for helping.
I had the client name incorrect and have fixed that. When the client isn’t forced to send all traffic via the gateway, it can only reach the remote network with a nat rule. I think maybe because of that, the remote network can’t reach the client network.
Is there some misconfiguration or other issue that could cause this problem?
Logged
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #4 on:
December 05, 2020, 03:55:48 pm »
I just realised that with no nat, I can reach the remote network/s from the client server itself ok - ssh, ping etc.
Other systems on the client network are unable to reach the remote network with the nat rule disabled.
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #5 on:
December 05, 2020, 04:03:05 pm »
On the client side network: is the OPNsense the default gateway?
Same on the server side: is the OPNsense the default gateway?
Please show screenshots of:
System: Routes: Status of both boxes.
Logged
„The S in IoT stands for Security!“
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #6 on:
December 05, 2020, 04:26:55 pm »
Server side:
Network devices --> OPNsense --> FTTC modem --> Internet
Client side:
Network devices --> Opnsense --> FTTC modem --> Internet
|--Pi-Hole DNS
Screenshots:
Logged
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #7 on:
December 05, 2020, 04:27:46 pm »
The output from the server was ridiculously long to screenshot, so I did it via netstat instead.
client:
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #8 on:
December 05, 2020, 04:56:50 pm »
There should not be any NAT involved. Why do you have a NAT rule on the client side screenshot on the OpenVPN?
Please show a current screenshot of server side OpenVPN server config and Client-Specific-Override with the correct "common name"
And a screenshot of VPN: OpenVPN: Connection Status of the server side.
There should be an arrow pointing down saying something like: OVPN UDP4:1194 Routing Table (the name can be different). Click on the arrow to expand the routing table and include in the screenshot.
Logged
„The S in IoT stands for Security!“
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #9 on:
December 05, 2020, 05:12:16 pm »
Without NAT, only the client OPNsense router can access the remote network/s. With the rule enabled, other network devices can also access the remote network/s.
OpenVPN Server config screenshots:
Logged
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #10 on:
December 05, 2020, 05:12:49 pm »
continued...
Logged
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #11 on:
December 05, 2020, 05:13:41 pm »
Client-Specific-Override:
Logged
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #12 on:
December 05, 2020, 05:14:15 pm »
openvpn status:
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #13 on:
December 05, 2020, 05:37:46 pm »
You have something weird in you OpenVPN server config. Have a look at local and remote network and then have a look at local and remote network again in client-specific override. Why do they not match? They should.
Remote is always 192.168.1.0/24 in your case. And local are the local networks of the server side.
«
Last Edit: December 05, 2020, 05:39:43 pm by Gauss23
»
Logged
„The S in IoT stands for Security!“
windswept321
Newbie
Posts: 34
Karma: 1
Re: OpenVPN Site to Site - Can't reach client network from server network
«
Reply #14 on:
December 05, 2020, 09:17:46 pm »
You're right. The wording on the details at the client side threw me. I've fixed this and it is now working perfectly after a reboot. Thanks very much for helping!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
OpenVPN Site to Site - Can't reach client network from server network