Need help with Site2Site Layer3 tunnel configuration

ltellier
OpenVpn Newbie
Posts: 2
Joined: Fri Mar 24, 2017 9:04 pm

Need help with Site2Site Layer3 tunnel configuration

Postby ltellier » Fri Mar 24, 2017 9:49 pm

Hi,

I have been testing out OpenVPN for creating a Site2Site VPN tunnel between 2 sites.
The tunnel is done through Layer3.

I've been following the following tutorial:
https://docs.openvpn.net/how-to-tutoria ... ss-server/

Our current topology is as follow:
SITE A:
LOCAL SUBNET: 192.168.0.0/24
OPENVPN_AS IP: 192.168.0.113

SITE B:
LOCAL SUBNET: 172.27.19.32/28
OPENVPN_CLIENT IP: 172.27.19.40

Both sites are having a separate GW for their public network.
We are able to create the site2site vpn tunnel between the 2 sites.
They can both (OpenVPN_AS and OpenVPN_Client) ping their remote's subnet (eg: pings from 192.168.0.0/24 <--> 172.27.19.32/28 or vice-versa) just fine.

The problem lies when other instances/clients try to ping remote IPs.
As a test, we have added a static route on a VM running on Site A (route add -net 172.27.19.32 netmask 255.255.255.240 gw 192.168.0.113) and tried to ping the OpenVPN_Client machine on site B (172.27.19.40) - it doesn't seem to be working as we are not receiving any responses.

Configuration for the OpenVPN_Client is as follow, please note we added routes to not be routed through the VPN tunnel (eg: avoiding the use of the vpn tunnel for public traffic). Could that be the issue ?

Code: Select all

setenv FORWARD_COMPATIBLE 1
client
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

# Route the following subnet to the VPN tunnel
route 192.168.0.0 255.255.255.0 vpn_gateway

server-poll-timeout 4
nobind
remote vpn.mydomain.com 1194 udp
remote vpn.mydomain.com 443 tcp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO


As for the OpenVPN_AS configuration file (config.json):

Code: Select all

{
  "Default": {
    "sa.initial_run_groups.0": "web_group",
    "sa.initial_run_groups.1": "openvpn_group",
    "vpn.client.routing.inter_client": "false",
    "vpn.client.routing.reroute_dns": "true",
    "vpn.client.routing.reroute_gw": "true",
    "vpn.daemon.0.client.netmask_bits": "20",
    "vpn.daemon.0.client.network": "172.27.224.0",
    "vpn.daemon.0.listen.ip_address": "eth0",
    "vpn.daemon.0.listen.port": "443",
    "vpn.daemon.0.listen.protocol": "tcp",
    "vpn.daemon.0.server.ip_address": "eth0",
    "vpn.server.daemon.enable": "true",
    "vpn.server.daemon.tcp.n_daemons": 2,
    "vpn.server.daemon.tcp.port": "443",
    "vpn.server.daemon.udp.n_daemons": 2,
    "vpn.server.daemon.udp.port": "1194",
    "vpn.server.group_pool.0": "172.27.240.0/20",
    "vpn.server.port_share.enable": "true",
    "vpn.server.port_share.ip_address": "1.2.3.4",
    "vpn.server.port_share.port": "1234",
    "vpn.server.port_share.service": "admin+client",


To summarize:
* The VPN tunnel is created and running;
* OpenVPN_AS can ping OpenVPN_Client using their respective local IP address (eg: 192.168.0.113 - 172.27.19.40);
* OpenVPN_Client can ping any other instances/clients on site A;
* OpenVPN_AS can ping any other instances/clients on site B;
* Instances/Clients on site A cannot ping clients, nor OpenVPN_Client on site B;
* Instances/Clients on site B cannot ping clients, nor OpenVPN_AS on site A;
* Static routes have been added on instances/clients at both location in order to route remote's subnet through the VPN gateway.

Please let me know if you guys need further information.

Cheers,

ltellier
OpenVpn Newbie
Posts: 2
Joined: Fri Mar 24, 2017 9:04 pm

Re: Need help with Site2Site Layer3 tunnel configuration

Postby ltellier » Wed Mar 29, 2017 1:51 pm

Bump! Anyone ?
Thanks!


Return to “Access Server”

Who is online

Users browsing this forum: No registered users and 1 guest