Site-to-site VPN routing

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
sarunas
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 13, 2023 10:31 am

Site-to-site VPN routing

Post by sarunas » Thu Dec 14, 2023 10:51 am

Hi community,
I want to connect from one country to another country to my private network. I have created an OpenVPN server in the Oracle Cloud. I have outlined what I want to achieve with OpenVPN. My target is a PLC, and I want to connect my PC with the PLC.

Image

My OpenVPN server saw both items

Image

I tried traceroute to 172.27.234.4 from my computer

Image

Looks fine. Now I tried traceroute to 172.27.234.6 from router

Image

In the picture, you can see that I cannot find the IP address 172.27.234.6. Maybe somebody knows why?

My goal is to reach the PLC, whose local IP address is 192.168.1.5, but I can't find a solution on how to do that. Perhaps someone has suggestions on what steps I need to take. The router firewall is disabled. If I enter the VPN IP address of the router, 172.27.234.4, in my PC's web browser, the router's web server opens.
I am using the same OpenVPN configuration file for both clients.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Site-to-site VPN routing

Post by openvpn_inc » Thu Dec 14, 2023 11:25 am

Hello,

The reason the traffic won't go is because it exists outside of your VPN solution at the moment. The Teltonika client is given a virtual network interface with an IP in the internal VPN network range. So that's the extent of what it can reach until you do more.

For site to site we have a guide here that I strongly suggest you read through, and particularly the troubleshooting section where tools like tcpdump are used to confirm that packets are traveling to where you want them to go.

https://openvpn.net/vpn-server-resource ... in-detail/

But in short I can point out these issues:

The subnet 192.168.1.0/24 is too common. That means that if your client on the right in your diagram is on a 192.168.1.0/24 network as well, you may already have a subnet collision. It would be best to re-IP the subnet on the left on the Teltonika to something more unique like for example 10.77.55.0/24 or such. But assuming the local subnet on the right side VPN client is not 192.168.1.0/24 then in theory that is not the issue at the moment with your current setup.

The user account on the Access Server for the Teltonika device must have the 'VPN client gateway' function enabled, and the subnet 192.168.1.0/24 must be defined there (assuming that the subnet behind the Teltonika is 192.168.1.0/24). This way the Access Server will know that in order to reach 192.168.1.0/24 it has to go through the Teltonika device. Simply doing this SHOULD allow the Access Server itself to ping 192.168.1.0/24, assuming there are no firewall or configuration issues on the Teltonika itself.

And on the user account for the VPN client on the right, access should be granted to 192.168.1.0/24. That way, that VPN client will know that in order to reach 192.168.1.0/24 it has to go through the Access Server. And the Access Server knows to go through the Teltonika device to get to 192.168.1.0/24. In turn, the Teltonika device should already know how to reach VPN clients as that is part of the basic configuration.

There may be firewall and routing misconfigurations or subnet collisions that prevent things from working. For example, a Windows firewall may decide that 'out-of-scope' subnets (networks that it is not directly path of by itself) are to be dropped. Which could means packets from the Teltonika device may be dropped by the firewall on the VPN client. Likewise the Teltonika device may have firewalls enabled by itself that prevent traffic from crossing between VPN network and LAN network.

The guide I gave you contains troubleshooting where you can run tcpdump to monitor ping packets flowing between devices. I suggest you use that to see where the traffic goes and does not go.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

sarunas
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 13, 2023 10:31 am

Re: Site-to-site VPN routing

Post by sarunas » Thu Dec 14, 2023 1:36 pm

I appreciate the quick response and the time you've spent. Thank you very much.
So, regarding the Windows firewall, you were correct. I disabled the Windows firewall, and the Teltonika device started pinging my computer via OpenVPN server.

I don't quite understand what you're talking about here
The user account on the Access Server for the Teltonika device must have the 'VPN client gateway' function enabled, and the subnet 192.168.1.0/24 must be defined there (assuming that the subnet behind the Teltonika is 192.168.1.0/24).
Do you talk about OpenVPN configuration file, which I upload to teltonika device or about teltonika device feature?

here you talk about OpenVPN configuration file?
And on the user account for the VPN client on the right, access should be granted to 192.168.1.0/24. That way, that VPN client will know that in order to reach 192.168.1.0/24 it has to go through the Access Server. And the Access Server knows to go through the Teltonika device to get to 192.168.1.0/24. In turn, the Teltonika device should already know how to reach VPN clients as that is part of the basic configuration.
Or about OpenVPN setting like this?
Image

sarunas
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 13, 2023 10:31 am

Re: Site-to-site VPN routing

Post by sarunas » Fri Dec 15, 2023 6:19 am

I have successfully established a connection between my PC and the PLC via OpenVPN
Thank you very much

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Site-to-site VPN routing

Post by openvpn_inc » Fri Dec 15, 2023 3:56 pm

Hello,

> Do you talk about OpenVPN configuration file, which I upload to teltonika device or about teltonika device feature?

This was in response to my mention of the VPN client gateway function. This is the function in the Access Server configuration, under User Permissions, for the particular user account that is used to connect to the Access Server from the Teltonika device. It lets you make Access Server aware that there is 'more' behind the Teltonika device. For site-to-site communication. Because the VPN client (Teltonika) is functioning as a gateway to the 192.168.1.0/24 subnet.

But I see you got things working, so all is good then.

Good luck,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply