vyos1 (openvpn server)
set interfaces ethernet eth0 address '1.1.1.1/24'
set interfaces ethernet eth0 description 'Wan0'
set interfaces ethernet eth2 address '10.101.0.1/24'
set interfaces ethernet eth2 description 'Lan0'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 server subnet '10.10.111.0/24'
set interfaces openvpn vtun0 server topology 'subnet'
set interfaces openvpn vtun0 openvpn-option duplicate-cn
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/pki/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/pki/issued/vyos.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/pki/dh.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/pki/private/vyos.key'
set protocols ospf area 0 network '10.0.0.0/8'
set protocols static route 0.0.0.0/0 next-hop 1.1.1.254
edgerouter1 (openvpn client)
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Wan0
set interfaces ethernet eth2 address 10.10.10.1/24
set interfaces ethernet eth2 description ‘Lan2’
set interfaces openvpn vtun0 description Vpn0
set interfaces openvpn vtun0 mode client
set interfaces openvpn vtun0 remote-host 1.1.1.1
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/edgerouter1.crt
set interfaces openvpn vtun0 tls key-file /config/auth/edgerouter1.key
set protocols ospf area 0 network 10.0.0.0/8
So what we are going for is communication from 10.10.10.0/24 to 10.101.0.0/24.
(10.10.10.0/24) -> 10.10.10.1 -> edgerouter1 -> 10.10.111.2 -> (10.10.111.0/24) <- 10.10.111.1 <- vyos1 <- 10.101.0.1 <- (10.101.0.0/24)
if i login to edgerouter1 i can see the OSPF route to 10.101.0.0/24 and they are installed in the route table. from edgerouter1 I can ping 10.101.0.1 using the default source ip of 10.10.111.2. if i ping from source address 10.10.10.1 to 10.101.0.1 it doesn’t go thru.
if I login to vyos1 I can see the OSPF route to 10.10.10.0/24 and they are installed in the route table. from vyos1 I CANNOT ping 10.10.10.1, but I can ping 10.10.111.2.
Here’s what fixes it… on vyos1:
set interfaces openvpn vtun0 server client edgerouter1 ip 10.10.111.2
set interfaces openvpn vtun0 server client edgerouter1 subnet 10.10.10.0/24
if I put the above in, everything flows just fine. what I’m not sure about is WHY i need to put that in, and IF there is a way that I can make this work without having to define a static IP and subnet for edgerouter1 (on vyos1)… what’s the point of having a dynamic routing protocol if I have to manually assign static ips and subnets to every client? like if i wanted to turn up a new VLAN on edgerouter1, I would have to do
set interfaces openvpn vtun0 server client edgerouter1 subnet 10.10.11.0/24
or to summarize them…
delete interfaces openvpn vtun0 server client edgerouter1 subnet
set interfaces openvpn vtun0 server client edgerouter1 subnet 10.10.10.0/23
Here’s what I was hoping… I would not need to do any reconfiguration on vyos1 when adding future edgerouters… If I could just plop the base configuration and the certificate files on there I could bring up new sites without having to commit any changes on vyos1 (which disconnects other openvpn sites).
Ideally I wouldn’t need to specifiy any client definitions on vyos1…
So is there a trick to getting this to work the way I want?
PS: edgerouter doesn’t support wireguard or nhrp for dmvpn yet 
I think openvpn site-to-site is out of the question since that would also require configuration of a new tunnel for each client?
also additional detail… in the non-working state, when I tcpdump on vtun0 on both sides i can see the icmp packet go on vtun0 on the edgerouter side and not come out the other side… so i know routing is correct, and other pings pass the tunnel, it’s almost like openvpn has a source validation function?
Help! thanks in advance.