I’m struggling getting 2 sites connecting with OpenVPN in Net-to-Net mode (named here “OVPN-Site-A-B”).
On Site A (Central): ipfire-Box with Red / Orange & Green.
Red-IP static: AA.BB.CC.DD. and Orange-IP static address: EE.FF.GG.HH/24
Green:192.168.64.1 / Network: 192.168.64.0/24==> network to reach from Site B.
OpenVPN Server works but only with TCP port 1194 (not UDP), connection with Roadwarrior clients works!
On Site B: ipfire-Box with Red & Green. Fritzbox 5490-Fibre with latest Firmware 7.29 <–> Gateway-address:192.168.178.1 connected to ipfire-Red:192.168.178.3, ipfire-Green: 192.168.10.3, Green network: 192.168.10.0/24 => well the network to reach from Site A.
I followed the setup for Net-to-Net from wiki.ipfire.org - Net-to-Net as a TLS-server: and I choosed UDP port 2001 for both sides. Both sites work correcty as OpenVPN Server and OpenVPN Client.
Site B: on the Fritzbox: I opened UDP port 2001 for ipfire-red:192.168.178.3 and added a routing table: 192.168.64.0/255.255.255.0 Gateway:192.168.178.3
and on the ipfire-box added a rule: Source: Green accept all protocols to Dest: “OVPN-Site-A-B”
Site A: Ipfire > new rule: "Source: Green accept all protocols to Dest: “OVPN-Site-A-B”.
However I can’t access / ping any PCs on the Green network of both sites…on both IPfire the connections are established (seems so since both buttons are green with label “CONNECTED”)
I tried several other rules but I can’t even send a small ping from one site to another site…
Is it maybe that my Internet provider’s (Site B with the Fritzbox-router is connected) blocks VPN connections ? I doubt so but I didn’t get an answer yet.
Any help is greatly appreciated.
Or general question: Does Site B with Fritzbox-router also require a public static IP-address for OpenVPN Net-to-Net connections (Site A already has a public static IP-address) ?
After hours of trying a lot of solutions and adding Dynamic DNS to the ipfire-box (behind my Fritzbox) which didn’t work, I found out that the Fritzbox-router is connected to Carrier-Grade NAT,
which makes it impossible to route traffic in OpenVPN Site-to-Site mode.
My ISP confirmed that the whole network is in CGNat mode, so I will upgrade to have a real public IP-address for my FB…
It works now since I upgraded to static IP-address for Site-B with the fritzbox:
opening UDP port 2001 on the Fritzbox (Port Sharing) to ipfire-Red: 192.168.178.3
No other settings / especially routing had to be done on the fritzbox on Site-B.
But on Site-A-ipfire to allow the green network (192.168.64.0/24) access to Site-B Green Network (192.168.10.0/24) I had to to create the following firewall rule to access Site-B Green (192.168.10.0/24) network:
Site-A(ipfire): Source → Firewall: All / NAT: Source NAT: New source IP address: Green (192.168.64.1) / Destination: OpenVPN Net-to-Net / Protocol: All.
This rule is then listed in the " Outgoing Firewall Access" in the Firewall Rules list…
But not sure if this is correct, but it works for me after spending hours completing this setup.