OpenVPN from remote workstation of branch router to hq router

woodie03 · September 10, 2019, 3:27am

Hi,

We’ve set up a client-server openvpn tunnel, which is working in both hq-router and branch-router, we used vtun1 with port 1195 for both hq and branch router in which they’re talking.
vtun1 network: 172.16.253.0/24

HQ ----- vtun1 ---- internet ----- vtun1 ----- BRANCH -> OK

From the branch-router, we have setup a remote access vpn (vtun0 1194) which is also working from the remote workstation to the branch router.
vtun1 network: 172.16.253.0/24
vtun0 network: 192.168.100.0/24

BRANCH ---- vtun0 — internet ---- tun0 ---- Remote workstation -> OK

Scenario: We would like to reach the LAN of HQ from the remote workstation of BRANCH router.

How can we reach the LAN from the branch remote workstation to the lan of hq router from the tunnel.?

We already added a route, open the firewall in both routers 1195 and 1194

Thanks!

Dmitry · September 10, 2019, 10:54am

Hi @woodie03, all tunnels already connected? Does HQ have route to 192.168.100.0/24 via vtun1? I think you can advertise it from BRANCH. Also you need advertise from BRANCH route 172.16.253.0/24 for vtun0. Can you provide traceroute 192.168.100.1 from HQ and run traceroute 172.16.253.1 from Remote workstation?

woodie03 · September 10, 2019, 11:18am

Hi, How are you doing? Thanks for the reply… Yes, tunnel between hq to branch are connected. we have route given from hq to 192.168.199.0/26
traceroute:
a.) from hq to 192.168.100.1 (just changed the ip)
traceroute to 192.168.100.1 (192.168.100.1), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

b.) 1 1 ms 1 ms 1 ms 192.168.1.1
2 2 ms 2 ms 2 ms <remote_client_public_ip>
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.

by the way we’re not using any igp.

Dmitry · September 10, 2019, 12:18pm

Fine, thank you, how are you?
I’m correct understood you schema?
Explain please, what ip addresses have HQ and BRANCH on vtun1 and what ip address have BRANCH and remote workstation on vtun0.

woodie03 · September 10, 2019, 1:33pm

Doin’ good sir. Yes, the topology is like that.

vtun1 IPs for HQ and BR:
HQ - 172.16.253.1/24
BR - 172.16.253.12/24

vtun0 IPs for BR and Remote Workstation:
BR - 192.168.100.1/26
Remote Workstation - 192.168.100.2/26 (Given by the BR via vtun0)

remote client connected vtun0 of HQ could access any resources from the Branch network, we would like to be vice versa, however the remote client of branch couldn’t do so.

Dmitry · September 10, 2019, 2:10pm

I think at first you need add static route on HQ, like

set protocols static route 192.168.100.1/26 next-hop 172.16.253.12 next-hop-interface vtun1

And also I think you need add NAT rules on HQ, like

set nat source rule 300 destination address '192.168.100.1/26'
set nat source rule 300 outbound-interface 'vtun1'
set nat source rule 300 translation address '172.16.253.1'

Can you add this and run traceroute again. From 192.168.100.2 to 172.16.253.1, and from 172.16.253.1 to 192.168.100.2?

woodie03 · September 11, 2019, 9:08am

Sir Dmitry, tried adding those commands and ran traceroute

From HQ to BR vtun0 192.168.100.0/26 network:
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

From 192.168.100.2 to 172.16.253.1

192.168.1.1 (192.168.1.1) 0.393 ms 0.447 ms 0.489 ms
<public_ip> 2.587 ms 3.095 ms 2.903 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 <public_ip_isp> 2.141 ms !N * *

Dmitry · September 11, 2019, 9:44am

As we see, remote workstation doesn’t have route to 172.16.253.0/24, your ovpn on BR can push this route to client.
set interfaces openvpn vtun0 server push-route 172.16.253.0/24
then reconnect ovpn on remote workstation, and run traceroute 172.16.253.1 again. If route was be received, you can see first hope router 192.168.100.1.
@woodie03, please, post full traceroute command which you enter. Can you also provide run show ip route on HQ

woodie03 · September 11, 2019, 2:21pm

I’ve added the push-route to BR router and reconnect the ovpn of client workstation.

Client workstation:
command: traceroute 172.16.253.1

1 192.168.100.1 (192.168.100.1) 215.341 ms 215.271 ms 215.218 ms
2 * * *
3 * * *
4 * * *
5 * * *
|
30 * * *

HQ
command: show ip route

S> 0.0.0.0/0 [1/0] via <public_ip>, eth1
C>* 10.0.0.0/26 is directly connected, eth0
S>* 192.168.100.0/26 [1/0] is directly connected, vtun1
  *                       via 172.16.253.12, vtun1
C>* 172.16.254.0/24 is directly connected, vtun0

BR
command: show ip route

S*> 0.0.0.0/0 [1/0] is directly connected, eth1
S>* 10.0.0.0/26 [1/0] is directly connected, vtun1
  *                   via 172.16.253.1, vtun1
C>* 192.168.100.0/26 is directly connected, vtun0
C>* 172.16.253.0/24 is directly connected, vtun1

Dmitry · September 11, 2019, 2:43pm

What is this route, run on BR and show please:
show configuration commands | match static route

woodie03 · September 11, 2019, 2:46pm

Here sir

BR: show configuration commands | match static route

set protocols static interface-route 10.0.0.0/26 next-hop-interface 'vtun1'
set protocols static route 10.0.0.0/26 next-hop 172.16.253.1

10.0.0.0/26 is the LAN of HQ which BR likes to reach as well

Dmitry · September 11, 2019, 2:52pm

Ok, did you have configured firewall on HQ and BR? can you temporary allow all for 192.168.100.0/26?

woodie03 · September 11, 2019, 3:00pm

Added firewall rule on HQ but not yet on BR
command:
LAN
set firewall name WAN_IN rule 100 action accept
set firewall name WAN_IN rule 100 source address 192.168.100.0/26
set firewall name WAN_IN rule 100 protocol all

Dmitry · September 11, 2019, 3:05pm

Now you can see counters, after you run traceroute from remote workstation to HQ

show firewall name WAN_IN statistics

Seem all routes is ok

woodie03 · September 11, 2019, 3:14pm

after running traceroute from the remote workstation.

HQ output: show firewall name WAN_IN statistics
100 0 0 ACCEPT 192.168.100.0/26 0.0.0.0

Dmitry · September 11, 2019, 3:22pm

Hm, let’s try capture some traffic for understanding this situation.
On HQ
monitor traffic interface vtun1 filter 'host 192.168.100.2'
On BR
monitor traffic interface vtun1 filter 'host 192.168.100.2'
and run ping 172.16.253.1 from remote workstation. Do you see packets?

woodie03 · September 11, 2019, 3:24pm

Forgot to add this:

BR output: show firewall name WAN_LOCAL statistics
100 0 0 ACCEPT 192.168.100.0/26 10.0.0.0/26

Okay, will send you the output a little while.

woodie03 · September 11, 2019, 3:34pm

output:
HQ -> there’s no traffic captured from remote workstation

BR -> it’s only the echo request is coming out and there’s no reply from the destination

192.168.100.2 -> 10.0.0.1 ICMP Echo (ping) request
and
192.168.100.2 -> 172.16.253.1 ICMP Echo (ping) request

Dmitry · September 11, 2019, 3:45pm

Do you see any icmp on HQ vtun1

monitor traffic interface vtun1 filter 'icmp'

This is very strange.

woodie03 · September 11, 2019, 3:52pm

I can see icmp traffic but from the other connected network but couldn’t see from the remote workstation. I’m not sure if the BR router has the issue, coz’ remote workstation connected from the HQ could see any resources to BR