Client to Client from 2 access servers

[duckman]

After look through much documentation (mostly looks outdated or for non Access Server) I am at a loss.
I have a cloud network. One VPC in the US and one in Europe.
Both regions have an openvpn server for clients to connect too.
I need to get conenct vpn clients in Europe able to connect to vpn clients in the US but can't seem to. I really only need it to go one way. I can ping the OpenVPN Servers eth0 interfaces back and forth and I do have the routing for the client subnets in my router tables. I have also been able to ping from one of the VPN clients all the way to the US server but the echo replies do not come back.


The directions for bridging seem to be for something other than the Access server version and I am not sure which way to go.
I've tried both NAT and without NAT and Mixed with one server being NAT and the other.

Can anyone point me to some documents where this is clearly explained on the latest version of OpenVPN Access Server?


Thank you so much. I've been at this for 2 weeks now

[openvpn_inc]

Hello duckman,

Please forget about bridging. Wouldn't work in a cloud environment anyway, most likely, and it's also not a proper way to do this.

You need to set up at least one server with a site-to-site connection to the other site. You need routing set up in both directions. Since you mention VPC I assume this about Amazon AWS. Then you need to disable source/destination checking on the two machines forming the site-to-site connection. On top of that you'll need to put routes in place in both sites for the VPN client subnets. Then all should be able to route.

To diagnose problems try using tcpdump to monitor ICMP ping request/reply and see where it stops exactly.

It can be done but what you want is also one of the more difficult things to achieve because of all the places you need to put the routes and ensure that routing is done in all places, and not just NAT.

Kind regards,
Johan