Openvpn net-to-net tunnel setup well, but no traffic went through it

Virtual Private Networks
1

Hi,

For my daughter I wanted to setup a Net-2-Net tunnel, to route her traffic through my gateway.

For this configuration, my router (server) is connected via FTTH (PPPoE) and my daughters via mobile router (configured as modem). Remote host/client IP addresses were setup via dyn. DNS services.

I use 2 routers (one as server, other as client) with IPFire ( latest rev.) and follow the description of the Net-to-Net configuration on IPFire’s wiki: wiki.ipfire.org - OpenVPN Configuration

For the firewall settings (server) I did setup the following ( Rule 6 is normally also enabled)

Bild1

On client side, it’s vice versa:

Source: GREEN → Destination: MalinforNF, enabled

Source: MalinforNF → Green, enabled

Source: Green → RED, disabled ( traffic should run through tunnel)

After the tunnel has been enabled and started, couple seconds later the tunnel was setup.

The gateways on each side could be pinged, to check if the tunnel is working.

However, no traffic went through the tunnel. DNS requests went also not through the tunnel.

I did try to find some ideas in the community, but no luck yet and would assume, that something is wrong with the firewall settings, but I don’t have any glue what it could be.

Have someone any idea? I appreciated your feedback.

Best,

smithchart

2

Never did a N2N, but I think you need to add some route. You might get an idea with this special case. Also, this one might give you some idea.

1 Like
3

Hi,
I also seen this article. But it’s a different case. Mixed roadwarrior + net2net connection.

4

Hello smithchart,
since your firewall policy is blocked you need to set rules also for N2N so red0 is not tun1[x] your FW rules might be the problem… Did you checked rule 7 to enable the tun interface for the remote subnet/client ?

Best,

Erik

1 Like
5

Hello Erik,

following are the FW rules on client side.

image
image1062×475 21.9 KB

I would expect with the enabled rule from GREEN to N2N (Malin…) that the FW will route the traffic from client into the tunnel :thinking:
On server side rule 7 is enable, that the tunnel traffic will transfer to the internet ( RED). That’s my understanding. Maybe it’s not correct :face_with_raised_eyebrow:

Here are the Routing Table Entries from Server side:
image

tun1 is the n2n connection.
I don’t see an item, from the tunnel to RED (185.x.x.x)

What do I need to change/add? Another rule or IP table entry?

Best,
smithchart

6

Hi smithchart,
on N2N connections, the routes will be set via n2n.conf per default to the green0 remote network as you can see in the routing table entries. Your IPTable rules just ACCEPTs the connection and does not make any routing decision. If you want to route the remote internet traffic (have over read it above) through the tunnel you can use the directive ‘–redirect-gateway’ also for N2N connections but i would use therefor a Roadwarrior connection since N2N connections are used to connect local networks with another.
You can find also a ‘–redirect-gateway’ but also DNS options in the web user interface of the Roadwarrior.

Best,

Erik

2 Likes
7

Hi Erik,
the Roadwarrior connection is not an option, my daughter use either a mobile phone or laptop.
She prefers KISS and won’t use a opnvpn client, too technical :roll_eyes:
A setup of Roadwarrior client within IPFire is unfortunately not possible.
I try to use the -redirect-gateway on the server side, as suggest and add it in the n2nconf file on server side (snapshot):
image

and got the following iptable overview:
image

Once the n2n link was enabled, green network was disconnected from RED and still no routing from n2n client through VPN to RED.
Another idea, I did alternatively use it with " push" → push " redirect-gateway def1", no change in the routing tables.

Best,

smithchart

8

I had the same issue: no connections with my DSL connection.

I had to upgrade the DSL connection on site B to a static IP-address (site A already has a static IP-adress): The culprit: “Carrier-grade NAT” (to spare IP-addresses) from your ISP which makes it very difficult (impossible ?) to route traffic in OpenVPN Site-to-Site mode.

See here: OpenVPN Net-to-Net issue with Fritzbox-router (Site A & Site B) - #2 by cgil
and Carrier-grade Nat:
Carrier-grade NAT - Wikipedia

2 Likes