Openvpn - static routing to other sites

Hey guys, I’ve got about a few months worth of experience with Vyos and am still figuring it out along the way. So I’ve got a Vyos at HQ which has a bunch of ipsec site-to-site peers connected and these are all working fine. I then have clients connecting to the vyos over openvpn. I need these openvpn clients to be able to pass traffic to all ipsec peer networks. Having a hell of a time doing this. I’m pretty sure it’s a simple route I need I’m just not sure where to put it. I included some info and trace routes below to help show my point.

-HQ LAN = 10.123.123.0/24
-Openvpn clients LAN = 10.122.122.0/24
-Ipsec peer 1 = 172.20.30.0/24
-Ipsec peer 2 = 192.168.34.0/24

I need vpn clients on the 10.122.122.0 subnet to be able to talk to the ipsec peer subnets. Currently I can talk to the HQ Lan just fine, but nothing else. See trace routes below. Note from the Vyos itself I can ping all ipsec peer networks without issues.

Tracing route to 10.123.123.10 over a maximum of 30 hops
1 49 ms 48 ms 43 ms 10.122.122.1
2 48 ms 49 ms 62 ms 10.123.123.10
Trace complete.

Tracing route to 172.20.30.54 over a maximum of 30 hops
1 42 ms 43 ms 50 ms 10.122.122.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.

Tracing route to 192.168.34.1 over a maximum of 30 hops

1 60 ms 44 ms 52 ms 10.122.122.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.

When pinging the HQ lan it’s fine since it’s on the same network the vpn lives on but when pinging the other networks it seems the traffic hits the vpn interface then doesn’t know where to go after.

Welcome to the Vyos forums!

Have you configured 10.122.122.0/24 as part of the encryption domain on the IPSEC Tunnels? Most likely traffic is going to the IPSEC Peers, but they don’t route traffic to 10.122.122.0/24 back via the IPSEC as you haven’t told it that needs to be IPSEC encrypted.

So traffic goes OVPN Client->Vyos->IPSEC Peer->Device but from Device->IPSEC Peer it won’t know to route 10.122.122.0/24 back via the IPSEC Tunnel towards your Vyos box.

That’d be my guess anyway!

Thanks for the greeting!

Ok that would make sense. I was discussing with a colleague this morning and he more or less had the same thought about it making it to the destination but not knowing how to get back.

What I can do is I’ll add the 10.122.122.0/24 subnet to the other sides list of remote subnets for the ipsec tunnel. Not sure what you mean by configuring it as part of the encryption domain on the ipsec tunnels.

Do you mean like just add another tunnel to the peer with 10.122.122.0/24 as the local prefix? This is what it currently looks like:

peer xxx.xxx.xxx.xxx {
authentication {
mode pre-shared-secret
pre-shared-secret ***********
}
connection-type respond
default-esp-group ESP-HOX
description “xxx”
ike-group IKE-HOX
ikev2-reauth inherit
local-address xx.xx.xxx.x
tunnel 10 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.123.123.0/24
}
remote {
prefix 172.20.30.0/24
}
}
tunnel 11 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.123.123.0/24
}
remote {
prefix 192.168.34.0/24
}

I have no experience with ipsec on Vyos I’m sorry, only Wireguard and OpenVPN.

Are you able to add another network to the “remote” statement there, or does it only take a single prefix?