Cannot reach Green network

I setup a fresh IPFire server so that I could use the OpenVPN server setup, I’ll admit its been a while since I setup a VPN, last time it was on an IPCop firewall.

I read a bunch but cannot nail down what the heck is wrong.

With a fresh setup of IPFire, I’ve configured OpenVPN and a client, my Client connects and can reach the Green interface, but nothing on the LAN the green interface is on.

I’ve read a number of times that others needed to add route at the command line on the server.
No body ever really explains why this is needed, I mean what caused this to be needed.

I am testing this setup by connecting a laptop to a cell hotspot.
My IPFire has a direct internet IP for the red interface, IPFire is routing.

My route table on the server says GW Red0 GW Tun0 GW Tun0 GW Red0 GW Red0 GW Green0 is the internal VPN IP is my internal LAN is the default GW for the Red0 interface which has IP

I can ping green host from the IPFire command line.


Hi and Wellcome @matthew

I don’t know if I can help you. I have little experience in this but I have had a similar problem. I tell you:

When you generate the Certificate, in order to access the Green you have to check Green:

It may happen that the Lan range of the roadwarrior is the same as the Company Lan and there is overlap. Being the same range, it does not route it through the VPN interface.

Without activating VPN:


Activating VPN:


If the static path is not added correctly, you can force it by adding in the Client file “certificatename.ovpn” the line:

route (ip computer you want to access/complet range) or


Thank you so much for the suggestions / help.
Yep I show the same thing on the client, my address is pointing at the GW IP of the tunnel. My client “seems” to be correct, I checked the .ovpn on the server and it does have just one line, push ‘route’.

I re-created the certificate ensuring Green is selected, this had no effect.

Pings and trace routes do not reach the Green network, only the green network card.

Have you checked your firewall rules? You have to permit access from openvpn to green network.

Hi Sklammer
Thanks for the reply.
I’ve read this a number of times now , that I must permit access to green from OpenVPN, but I’m just not getting it.
I would really like to know where I am failing at this setup. I don’t understand why this is not happening if its required to make this work.
I have no rules to speak of, pretty much a clean setup.
After your message I did create a firewall rule to allow VPN to Green, rebooted the server, but this did not correct the issue i have.
Anything else?

@matthew I did not have to create any rules for my vpn, when I configured the advanced Server options, I entered domain and DNS (the first two boxes). On the client certificate, I have Redirect Gateway, Access to GREEN and DNS1 the same DNS I typed in the server options above.

When I vpn to my environment, I can access any hosts (by name or ip) in the GREEN network.

Hi Pavlos
Thanks for the reply.

I applied all your settings but still no joy.
I’ve reinstalled the server and will start over.

After reinstalling the server i realized that I left something out of the description of my environment.

I am setting up IPFire as an OpneVPN server, IPFire is not the default gateway for my network.
My IPFire is directly connected to the Internet, no router.

If I set IPFire as the default gateway for my test host on my LAN then the Pings / VPN works.
So far this is the only way I can get it to work so far.

I suppose my question really is for the IPFire/VPN to work does it have to be the default gateway on my network of windows machines?

Yes there is the Problem because the answers to your requests are transmitted to the default gateway that doesn’t know anything about your OpenVPN Network. Perhaps you could set a static route for your openvpn network pointing to your ipfire on your default gateway.

That’s what I was thinking last night. For whatever reason the route I entered on a windows machine is not working because packets still did not know where to go and so went to the default gateway.

Either I get the route from the workstation to work or use the IPFire as my DG.

Good idea for the static route on my exiting GW but I don’t have direct control of that unit so would rather not add potential problems for myself, I mean I’m having trouble getting a simple route setup to work.

As it is now I’m going to reset those that need the VPN to use IPFire as their GW.

Thanks everyone