Static Routes, Default Gateways and OpenVPN


we have 2 IPFire , both with VPN. A + B. Same network.
If the default GW of the Windows-PC, used for RDP, is the same that is used for incomming VPN everything is fine. VPN and GW for the PC are for example A. It works.

If the incoming VPN IPFire ist the other one, Now B, it fails. Until I give the PC a static, permanent route with the VPN-Subnet of the other, now used incoming VPN.

It does not work when I put the routes as static routes in both of the IPFire. The VPN Subnet of Ipfire as static route A in B and the other way round.
Are the static routes in Ipfire only used for internal routing?

Where is my mistake?
Why do I have to set the Routes in the PCs?

Thank You in advance!

This is the right approach. You will need a static route on the incoming gateway pointing to some host on the network that can reach the other network; and you will need one on the default gateway of the Windows host to reach the VPN subnet.

You can use traceroute to see how far you are getting and if you need any firewall rules (if you are blocking everything by default, you do).

Thank You!
I still have the problem that a simple router works. IPFire does not.

One net. 2 DSL with IPFire. Same net.

On a simple router, FritzBox, I add two routes to two different IPFire OpenVPN subnets.
The windows clients get the Fritzbox as default gateway. Traceroute from the client shows erverything is fine. Each OpenVpn subnet is reachable. Traceroute goes the right way: to the FritzBox as hop 1, than to the IPFire it should go. To the one or the other.

Now I set an IPFire as gateway. I add the route to the other IPFire VPN in the one I use now as GW for the Clients.
The client reaches the OpenVpn subnet in this IPFire, now used as GW.
But the other OpenVpn subnet is not reachable via Ping and TraceRoute.
The IPFire does not route like the “simple router”.
Tracert shows that, instead of routing it to the other IPFire in the same net, as it is registered as route in the IPFire via Network/Static Routes , the way goes out to the GW of the IPFire–> Internet

This is no deny or reject. It is simply not right.
I read that I am not alone with this problem. (simple router works, ipFire blocks)

I have many such setups and they work without issue I typically do two settings:

  1. I add to each firewall the static route of the other firewall’s ovpn subnet
  2. All Windows/ Network equipment that you want to access from either OVPN requires a persistent route adding reflecting the OVPN subnet( I always just add the two routes for each OVPN) so no matter the gateway it always has the route hard coded to find the correct VPN’s subnet
    I assume you are running the two


Thank You.
Yes, the way you wrote is the way it works here too.
I just wonder why it doesn`t work the other way and if this is a bug or not.

As far as I know now the routes in the IPFire are routes for the IPFire. They are not “public”. They are not used for routing incoming packets. That seems strange to me.

The routes are for a bit of both ( However they are more internal purposes ) you will have to add routestatements in the firewall as the entries in Ipfire only seemto be for its own routing rather than the general traffic, This was also the case in IPCop…I have another set up where the IPfire feeds a windows server doing routing to two subnets , (RRAS) so windows has a “gateway NIC” it has two other NICS and the uphill IPfire is I had to add both a static route in the IPFire and I also had to add rules to allow the source ( and to “allow” destination any… after that I could get the two sub-nets to play nice and get internet from above.

I an happy with that lets say as in my setup these are the real (trusted LANs ) the other side of the ipfire green lan (

I find it hard to understand your topology :slight_smile:
has each IPfire got a separate static wan from the fritz…

Yes this is exactly as I would expect and have understood in the past , indeed the internal static routes are for IPfire purposes .
Agreedt would be useful when a packet is destined for the other ipfire the (Ipfire’s) static route would deal with it.

In your first example the fritz box is just doing the routing rather than the windows static route entries all be it one level deeper in Nat