Site-to-Site routing issues

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
LittleNo
OpenVpn Newbie
Posts: 1
Joined: Mon Apr 24, 2017 7:24 am

Site-to-Site routing issues

Post by LittleNo » Mon Apr 24, 2017 8:14 am

I understand that similar questions like this have been asked here before, however I can't find where I'm doing anything wrong by the other threads or How-Tos, so I'd like to ask for hints.

Basically I'm connecting two LANs thru OpenVPN, while the VPN-tunnels succesfully exist, however I have some kind of routing-issue.

For Better understanding, here is a scheme of the topology:
Image

Current State:

Network A is using a Fritzbox 7412 router with (dynamic) public IP-address which is available thru a DynDNS-name (mydomain.de in my sample confs. Local network is 192.168.3.0.

In Network A is a Ubuntu-Server which servers (besides others) as the OpenVPN-Server. Therefore the UDP-Ports 1194 & 1195 are forwarded in the router to this Server-PC (192.168.3.130). I have two OpenVPN-Server's running: server1 is for connecting my other network B, server2 is for accessing my both networks from an iPhone.

Network B is using a Fritzbox 7390 which is behind a 4G router and due to the NAT of the 4G provider it has no public IP-address. Local network is 192.168.20.0.

In Network B is a Raspberry Pi (running Ubuntu MATE, local address 192.168.20.24) which serves as the OpenVPN-Client.

What I want: All Clients from both networks and the iPhone should be able to communicate thru my VPN-structure. To get that done I have push-routes set for the Client's network and on both routers of the LAN's I configured static IP-routes directing the opposite network to the OpenVPN-Client/Server as gateway.

Now this already works:
  • Both tunnels get established
    Ping, including:
    from Ubuntu-Server to 10.8.0.10 and 192.168.20.24
    from Client-PC in Network A to 10.8.0.10 and 192.168.20.24 and to the remote-Router 192.168.20.1
    from Raspberry Pi in Network B to 10.8.0.1 and 192.168.3.130, the remote-Router 192.168.3.1 and to another Client in Network A (192.168.3.154)
    from Client-PC in Network B to 192.168.3.130 and the remote-Router 192.168.3.1 and the other Client in Network A (192.168.3.154)
    Reaching Webservers thru Browser from the iPhone inside Network A (I can open pages on 192.168.3.130 and 192.168.3.154)
    Reaching Webservers thru Browser from Raspberry Pi in Network B on all devices in Network A (192.168.3.130, 192.168.3.1, 192.168.3.154)
    SSH from Ubuntu-Server thru the tunnel to Raspberry using 10.8.0.10 and 192.168.20.24
    SSH from client-PC in Network A thru the tunnel to Raspberry using 10.8.0.10 and 192.168.20.24
    SSH from Raspberry in Network B thru the tunnel to Ubuntu-Server using 10.8.0.1 and 192.168.3.130
This is NOT working:
  • SSH from Client-PC in Network B thru the tunnel to the Ubuntu-Server using 192.168.3.130
    Webpages (http) and file sharing (smb) thru the tunnels including:
    from Client-PC in Network B to 192.168.3.130, 192.168.3.1,192.168.3.154 >> timeout
    from Client-PC in Network A to 10.8.0.10, 192.168.20.24, 192.168.20.1 >> timeout
    from the iPhone using both tunnels to 10.8.0.10, 192.168.20.24, 192.168.20.1 >> timeout
    Ping from Network A (regardless on which machine) to a device in Network B which does not have a DHCP-IP-address but a fixed one.
What I already tried to fix:
  • tried option „tun-mtu“, „fragment“ and „mssfix“ > no change on problems
    disabled firewalls on both, the Ubuntu-Server and the Raspberry Pi
Here are my config-files:

@Ubuntu-Server in Network A, server1.conf

Code: Select all

port 1194
proto udp
dev tun

ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key  # This file should be kept secret
dh ./easy-rsa2/keys/dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp_hhsl.txt

push "route 192.168.3.0 255.255.255.0"
push "route 10.8.1.0 255.255.255.0"

client-config-dir ccd
route 192.168.20.0 255.255.255.0

client-to-client

keepalive 10 120

tls-auth ./easy-rsa2/keys/ta.key 0 
cipher AES-256-CBC   # AES

comp-lzo

user openvpn
group openvpn

persist-key
persist-tun

status openvpn-status_hhsl.log

verb 3

tun-mtu 1200 
fragment 1200 
mssfix 1200
In Subdirectory ccd a file with the common-name of the client with this content:

Code: Select all

iroute 192.168.20.0 255.255.255.0
@Ubuntu-Server in Network A, server2.conf

Code: Select all

port 1195

proto udp

dev tun1

ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key 
dh ./easy-rsa2/keys/dh2048.pem

server 10.8.1.0 255.255.255.0

ifconfig-pool-persist ipp_vic.txt

push "route 192.168.3.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

client-to-client

keepalive 10 120

tls-auth ./easy-rsa2/keys/ta.key 0 

comp-lzo


user openvpn
group openvpn

persist-key
persist-tun

status openvpn-status_vic.log

verb 3
At both, the Ubuntu-Server and the Raspberry Pi, IPv4-Routing is enabled and at the Ubuntu-Server I set firewall-rules to allow those routes (a mistake here is not the culprit since my problems persist when I disable the firewall)

@Raspberry Pi in Network B, client.conf

Code: Select all

client
dev tun
proto udp
remote mydomain.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert hhsl.crt
key hhsl.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
tun-mtu 1200
fragment 1200
mssfix 1200
iphone.ovpn

Code: Select all

client
dev tun1
proto udp
remote kunterbuntcloud.de 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert vic.crt
key vic.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
Static routes in Router of Network A:
Image

Static routes in Router of Network B:
Image

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Site-to-Site routing issues

Post by TinCanTech » Mon Apr 24, 2017 9:16 pm

Try this:
LittleNo wrote:Here are my config-files:

@Ubuntu-Server in Network A, server1.conf

Code: Select all

server 10.8.0.0 255.255.255.0
client-config-dir ccd
ccd-exclusive
Also, post your logs ..

Post Reply