Site-to-Site is not working.

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Zebar
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 28, 2021 7:14 am

Site-to-Site is not working.

Post by Zebar » Thu Oct 28, 2021 8:11 am

I have office network 192.168.144/20. This network consist of 192.168.X/24 networks.
In this network:
192.168.144.1 - local networks router.
192.168.144.2 - GW to internet
192.168.144.4 - OpenVPN router
192.168.144.10 - test computer
port 1194/udp from internet mapped to OpenVPN router

I have remote network 192.168.132/24.
192.168.132.1 - Keenetik router with OpenVPN
192.168.132.146 - test computer

I need for site-to-site connection.
Main goal - communication between 192.168.132.146 and 192.168.149.2
First goal - communication between 192.168.132.146 and 192.168.144.10

OpenVPN server config
port 1194
proto udp
dev tun
up /etc/openvpn/server/routes.up.sh
ca ca.crt
cert server.crt
key server.key
dh none
topology subnet
ifconfig 10.10.10.1 10.10.10.2
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.144.0 255.255.255.0"
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
script-security 2


file routes.up.sh

Code: Select all

#!/bin/sh
/sbin/route add -net 192.168.132.0 netmask 255.255.255.0 gw 10.10.10.2

Code: Select all

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.144.4  netmask 255.255.255.0  broadcast 192.168.144.255
        ether 00:15:5d:92:02:01  txqueuelen 1000  (Ethernet)
        RX packets 2507  bytes 252274 (246.3 KiB)
        RX errors 0  dropped 29  overruns 0  frame 0
        TX packets 1848  bytes 546837 (534.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.10.10.1  netmask 255.255.255.0  destination 10.10.10.1
        inet6 fe80::8bd3:47ab:c9e6:afbb  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 432 (432.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
routes on OpenVPN server

Code: Select all

 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.144.1   0.0.0.0         UG    100    0        0 eth0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.132.0   10.10.10.2      255.255.255.0   UG    0      0        0 tun0
192.168.144.0   0.0.0.0         255.255.255.0   U     100    0        0 eth0
Remote network Keenetik router
client
dev tun
proto udp
remote MyOffice 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3


Ping resuts from 192.168.132.146.
192.168.144.4 - Ok
192.168.144.10 - None

Ping resuts from 192.168.144.4.
192.168.132.146 - None
192.168.132.1 - None
10.10.10.2 - None
10.10.10.1 - Ok

I suppose I have wrong routing. What is wrong?

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Site-to-Site is not working.

Post by 300000 » Thu Oct 28, 2021 11:17 am

You need make client to site working first . At the moment client only can ping server 10.10.10.1 and cant go Internet. When it working so move to next making site to site.

Checking NAT and ipforwad at server and make sure it proper working.

Zebar
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 28, 2021 7:14 am

Re: Site-to-Site is not working.

Post by Zebar » Thu Oct 28, 2021 11:47 am

You need make client to site working first
It's easy. According to https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-8 I configured firewall for pockets masquarading.

Code: Select all

firewall-cmd --add-masquerade
firewall-cmd --add-masquerade --permanent
DEVICE=$(ip route | awk '/^default via/ {print $5}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 192.168.132.0/24 -o $DEVICE -j MASQUERADE
firewall-cmd --reload
And now I can ping from remote network to office.
But otherwise is not working. Should I have to masquarad pocket from central network to remote lan?

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Site-to-Site is not working.

Post by 300000 » Thu Oct 28, 2021 12:04 pm

Now you need create a folder called CDD at openvpn server and create a file name as certificate name of client and open that file add this

Iroute 192.168.132.0 255.255.255.0

After that you need to NAT and ipforward at client as you do with server so when client connect to server . Server will scann incoming connected client and know which one connect by its certificate and auto adding route into its routing tables.

So iroute means route add -net 192.168.132.0 netmask 255.255.255.0 gw 10.10.10.2 if client get that ip.

After that at server have gateway of subnet 's client as it have been added so from that point server will become a node and will routing to its destination.

Zebar
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 28, 2021 7:14 am

Re: Site-to-Site is not working.

Post by Zebar » Fri Oct 29, 2021 10:55 am

ccd folder with client file created. Now connection log is:

Code: Select all

Oct 29 12:17:53 OpenVPN openvpn[2973]: 91.193.176.208:42582 [client1] Peer Connection Initiated with [AF_INET]91.193.176.208:42582
Oct 29 12:17:53 OpenVPN openvpn[2973]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Oct 29 12:17:53 OpenVPN openvpn[2973]: OPTIONS IMPORT: reading client specific options from: /etc/openvpn/server/ccd/client1
Oct 29 12:17:53 OpenVPN openvpn[2973]: MULTI_sva: pool returned IPv4=10.10.10.2, IPv6=(Not enabled)
Oct 29 12:17:53 OpenVPN openvpn[2973]: MULTI: Learn: 10.10.10.2 -> client1/91.193.176.208:42582
Oct 29 12:17:53 OpenVPN openvpn[2973]: MULTI: primary virtual IP for client1/91.193.176.208:42582: 10.10.10.2
Oct 29 12:17:53 OpenVPN openvpn[2973]: MULTI: internal route 192.168.132.0/24 -> client1/91.193.176.208:42582
Oct 29 12:17:53 OpenVPN openvpn[2973]: MULTI: Learn: 192.168.132.0/24 -> client1/91.193.176.208:42582
Oct 29 12:17:54 OpenVPN openvpn[2973]: client1/91.193.176.208:42582 PUSH: Received control message: 'PUSH_REQUEST'
Oct 29 12:17:54 OpenVPN openvpn[2973]: client1/91.193.176.208:42582 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.144.0 255.255.240.0,route-gateway 10.10.10.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.10.10.2 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
Oct 29 12:17:54 OpenVPN openvpn[2973]: client1/91.193.176.208:42582 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 29 12:17:54 OpenVPN openvpn[2973]: client1/91.193.176.208:42582 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
but still work nothing. From client to network - ok. From network to client - none.

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Site-to-Site is not working.

Post by 300000 » Fri Oct 29, 2021 12:14 pm

What is name of client certificate? What is name of file you create in ccd folder? Do you make nat and ipforward at client or not? You need post your server routing too

Post Reply