We’ve set up a client-server openvpn tunnel, which is working in both hq-router and branch-router, we used vtun1 with port 1195 for both hq and branch router in which they’re talking.
vtun1 network: 172.16.253.0/24
HQ ----- vtun1 ---- internet ----- vtun1 ----- BRANCH -> OK
From the branch-router, we have setup a remote access vpn (vtun0 1194) which is also working from the remote workstation to the branch router.
vtun1 network: 172.16.253.0/24
vtun0 network: 192.168.100.0/24
BRANCH ---- vtun0 — internet ---- tun0 ---- Remote workstation -> OK
Scenario: We would like to reach the LAN of HQ from the remote workstation of BRANCH router.
How can we reach the LAN from the branch remote workstation to the lan of hq router from the tunnel.?
We already added a route, open the firewall in both routers 1195 and 1194
Hi @woodie03, all tunnels already connected? Does HQ have route to 192.168.100.0/24 via vtun1? I think you can advertise it from BRANCH. Also you need advertise from BRANCH route 172.16.253.0/24 for vtun0. Can you provide traceroute 192.168.100.1 from HQ and run traceroute 172.16.253.1 from Remote workstation?
Fine, thank you, how are you?
I’m correct understood you schema?
Explain please, what ip addresses have HQ and BRANCH on vtun1 and what ip address have BRANCH and remote workstation on vtun0.
vtun1 IPs for HQ and BR:
HQ - 172.16.253.1/24
BR - 172.16.253.12/24
vtun0 IPs for BR and Remote Workstation:
BR - 192.168.100.1/26
Remote Workstation - 192.168.100.2/26 (Given by the BR via vtun0)
remote client connected vtun0 of HQ could access any resources from the Branch network, we would like to be vice versa, however the remote client of branch couldn’t do so.
As we see, remote workstation doesn’t have route to 172.16.253.0/24, your ovpn on BR can push this route to client. set interfaces openvpn vtun0 server push-route 172.16.253.0/24
then reconnect ovpn on remote workstation, and run traceroute 172.16.253.1 again. If route was be received, you can see first hope router 192.168.100.1. @woodie03, please, post full traceroute command which you enter. Can you also provide run show ip route on HQ
Added firewall rule on HQ but not yet on BR
command:
LAN
set firewall name WAN_IN rule 100 action accept
set firewall name WAN_IN rule 100 source address 192.168.100.0/26
set firewall name WAN_IN rule 100 protocol all
Hm, let’s try capture some traffic for understanding this situation.
On HQ monitor traffic interface vtun1 filter 'host 192.168.100.2'
On BR monitor traffic interface vtun1 filter 'host 192.168.100.2'
and run ping 172.16.253.1 from remote workstation. Do you see packets?
I can see icmp traffic but from the other connected network but couldn’t see from the remote workstation. I’m not sure if the BR router has the issue, coz’ remote workstation connected from the HQ could see any resources to BR