OpenVPN Net-to-Net issue with Fritzbox-router (Site A & Site B)


I’m struggling getting 2 sites connecting with OpenVPN in Net-to-Net mode (named here “OVPN-Site-A-B”).

On Site A (Central): ipfire-Box with Red / Orange & Green.
Red-IP static: AA.BB.CC.DD. and Orange-IP static address: EE.FF.GG.HH/24
Green: / Network:> network to reach from Site B.
OpenVPN Server works but only with TCP port 1194 (not UDP), connection with Roadwarrior clients works!

On Site B: ipfire-Box with Red & Green. Fritzbox 5490-Fibre with latest Firmware 7.29 <–> Gateway-address: connected to ipfire-Red:, ipfire-Green:, Green network: => well the network to reach from Site A.

I followed the setup for Net-to-Net from - Net-to-Net as a TLS-server: and I choosed UDP port 2001 for both sides. Both sites work correcty as OpenVPN Server and OpenVPN Client.

Site B: on the Fritzbox: I opened UDP port 2001 for ipfire-red: and added a routing table: Gateway:
and on the ipfire-box added a rule: Source: Green accept all protocols to Dest: “OVPN-Site-A-B”

Site A: Ipfire > new rule: "Source: Green accept all protocols to Dest: “OVPN-Site-A-B”.

However I can’t access / ping any PCs on the Green network of both sites…on both IPfire the connections are established (seems so since both buttons are green with label “CONNECTED”)

I tried several other rules but I can’t even send a small ping from one site to another site…

Is it maybe that my Internet provider’s (Site B with the Fritzbox-router is connected) blocks VPN connections ? I doubt so but I didn’t get an answer yet.
Any help is greatly appreciated.

Or general question: Does Site B with Fritzbox-router also require a public static IP-address for OpenVPN Net-to-Net connections (Site A already has a public static IP-address) ?

After hours of trying a lot of solutions and adding Dynamic DNS to the ipfire-box (behind my Fritzbox) which didn’t work, I found out that the Fritzbox-router is connected to Carrier-Grade NAT,
which makes it impossible to route traffic in OpenVPN Site-to-Site mode.

My ISP confirmed that the whole network is in CGNat mode, so I will upgrade to have a real public IP-address for my FB…

1 Like

It works now since I upgraded to static IP-address for Site-B with the fritzbox:

  • opening UDP port 2001 on the Fritzbox (Port Sharing) to ipfire-Red:

No other settings / especially routing had to be done on the fritzbox on Site-B.

But on Site-A-ipfire to allow the green network ( access to Site-B Green Network ( I had to to create the following firewall rule to access Site-B Green ( network:

Site-A(ipfire): Source → Firewall: All / NAT: Source NAT: New source IP address: Green ( / Destination: OpenVPN Net-to-Net / Protocol: All.

This rule is then listed in the " Outgoing Firewall Access" in the Firewall Rules list…

But not sure if this is correct, but it works for me after spending hours completing this setup.