site-to-site VPN routing issues?!

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Tom7320
OpenVPN User
Posts: 38
Joined: Thu Jan 28, 2016 7:44 pm

site-to-site VPN routing issues?!

Post by Tom7320 » Sun Oct 15, 2017 11:16 am

Hi!

I'm trying to build a quite simple site-to-site VPN:

Server side network is 192.168.193.0/24
Client side network is 192.168.0.0/24

These are the configs:

server conf

proto udp
port 1194
dev tun
server 10.205.76.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
duplicate-cn
user nobody
group nogroup
daemon
verb 3
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls client
management 127.0.0.1 5555

tls-auth /etc/openvpn/keys/ta.key 0
dh /etc/openvpn/keys/dh2048.pem
pkcs12 /etc/openvpn/keys/OpenVPN_PAW_Server.p12
crl-verify /etc/openvpn/keys/OpenVPN_PAW_CRL.pem

push "route 192.168.193.0 255.255.255.0"


client gateway conf

proto udp
port 1194
dev tun
client
remote dyndns.foo.bar.com
nobind
key-direction 1
verb 3
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls server
management 127.0.0.1 5555

<ca>
...
</ca>

<cert>
...
</cert>

<key>
...
</key>

<tls-auth>
...
</tls-auth>


I configured port forwarding on the routers on either side of the tunnel (1194/udp). To simplify the router configuration I added masquerading on the VPN server and client gateway machines:

Code: Select all

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
On the first glance this setup seems to work, but I have trouble connecting a VoIP Phone on the client side. The SIP Server on the server side complains:

Code: Select all

VOIP: IWU: data_write: error get localip for destination 192.168.0.117,39000000
In my oppinion the SIP server on the server side should never see an IP Address of the client side (192.168.0.117)?!? What am I missing here?! Any help would be much appreciated!!

Thx!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: site-to-site VPN routing issues?!

Post by TinCanTech » Mon Oct 16, 2017 5:30 pm

Tom7320 wrote:
Sun Oct 15, 2017 11:16 am
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Code: Select all

iptables -t nat -A POSTROUTING -s 10.205.67.0/24 -o eth0 -j MASQUERADE

Tom7320
OpenVPN User
Posts: 38
Joined: Thu Jan 28, 2016 7:44 pm

Re: site-to-site VPN routing issues?!

Post by Tom7320 » Mon Oct 16, 2017 6:03 pm

THX a lot! But unfortunately it makes no difference.... :-(

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: site-to-site VPN routing issues?!

Post by TinCanTech » Mon Oct 16, 2017 7:20 pm

Tom7320 wrote:
Mon Oct 16, 2017 6:03 pm
In my oppinion the SIP server on the server side should never see an IP Address of the client side (192.168.0.117)?!? What am I missing here?!
Something is wrong with your Masquerading ..

Post Reply