How to enable routing between two OpenVPN sub-networks

Current setup:

  1. OpenWrt router_A (LAN IP: 192.168.2.1) runs OpenVPN Server1 with IP 10.8.1.0/24, allowing access to OpenWrt router_B (LAN IP: 192.168.1.1) through a Site-To-Site OpenVPN configuration.
  2. Also OpenWrt router_A (LAN IP: 192.168.2.1) runs OpenVPN Server2 with IP 10.8.2.0/24, allowing external clients to access the 192.168.2.1 network.

So, external clients connected to OpenVPN Server2 (10.8.2.0/24) can access to the 192.168.2.0/24 LAN via the OpenVPN tunnel, but cannot access OpenWrt router_B (LAN IP: 192.168.1.1).

Current active IPv4 Routes:

Please help me configure static routing or extend the OpenVPN setup so that clients connected to OpenVPN Server2 (10.8.2.0/24) can have access to the Router_B LAN (192.168.1.0/24).
Any suggestions are much appreciated.

If you are connected to the server can you connect to LAN clients on the VPN client?

  1. OpenWrt router_A Site-to-Site VPN config for Server1 :
Server1, 10.8.1.0/24
config openvpn 'Site_to_Site_SERVER'
	option cipher 'AES-256-GCM'
	option client_to_client '1'
	option mode 'server'
	option port '7101'
	option comp_lzo 'no'
	option mssfix '1420'
	option proto 'udp4'
	option dev 'tun0'
	option ca '/etc/openvpn/tun0/ca.crt'
	option dh '/etc/openvpn/tun0/dh.pem'
	option cert '/etc/openvpn/tun0/ppa01-server.crt'
	option key '/etc/openvpn/tun0/ppa01-server.key'
	option client_config_dir '/etc/openvpn/ccd'
	option ifconfig_pool_persist '/etc/openvpn/ipp.txt'
	option keepalive '20 120'
	option persist_key '1'
	option persist_tun '1'
	option remote_cert_tls 'client'
	option reneg_sec '0'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option topology 'subnet'
	option verb '3'
	option server '10.8.1.0 255.255.255.0'
	list route '192.168.1.0 255.255.255.0'
	list push 'route 192.168.2.0 255.255.255.0'
	option enabled '1'
  1. OpenWrt router_B Site-to-Site VPN config for Client:
Client for Server1
config openvpn 'S2S_client'
	option cipher 'AES-256-GCM'
	list remote 'xxxx.duckdns.org 1301'
	option nobind '1'
	option client '1'
	option comp_lzo 'no'
	option connect_retry '5 60'
	option auth_nocache '1'
	option dev 'tun5'
	option resolv_retry 'infinite'
	option remote_cert_tls 'server'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option reneg_sec '0'
	option ca '/etc/openvpn/S2S-client/ca.crt'
	option cert '/etc/openvpn/S2S-client/PA-client.crt'
	option key '/etc/openvpn/S2S-client/PA-client.key'
	option verb '3'
	option enabled '1'

====================================
3. OpenWrt router_A VPN config for Server2 :

Server2, 10.8.2.0/24
config openvpn 'VPN_Access_SERVER'
	option cipher 'AES-256-GCM'
	option client_to_client '1'
	option mode 'server'
	option port '7102'
	option comp_lzo 'no'
	option mssfix '1420'
	option proto 'udp4'
	option dev 'tun1'
	option ca '/etc/openvpn/tun1/ca.crt'
	option dh '/etc/openvpn/tun1/dh.pem'
	option cert '/etc/openvpn/tun1/ppa02-server.crt'
	option key '/etc/openvpn/tun1/ppa02-server.key'
	#option client_config_dir '/etc/openvpn/ccd'
	option ifconfig_pool_persist '/etc/openvpn/ipp2.txt'
	option keepalive '20 120'
	option persist_key '1'
	option persist_tun '1'
	option duplicate_cn '1'
	option remote_cert_tls 'client'
	option reneg_sec '0'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option topology 'subnet'
	option verb '3'
	option server '10.8.2.0 255.255.255.0'
	list push 'route 192.168.2.0 255.255.255.0'
	list push 'comp-lzo no'
	option enabled '1'

  1. OpenWrt Client VPN config for Server2 :
Client for Server2
client
dev tun1
remote xxxx.duckdns.org 1302
auth-nocache
cipher AES-256-GCM
comp-lzo no
connect-retry 5 60
keepalive 20 120
nobind
persist-key
persist-tun
proto udp
pull
remote-cert-tls server
reneg-sec 0
verb 3
#route 192.168.1.0 255.255.255.0
# Uncomment below to force Internet traffic over VPN, instead of just accessing devices.
# redirect-gateway def1

On server 1 push a route to client1 back to VPN server 2

On VPN server 2 push a route to the client for client1

Reboot and test again.

Also please answer my earlier question.
(Oh and you can do this with just one VPN tunnel :wink:)

1 Like

Thank you!
it solved the issue and now clients connected to Server2 can access to both Router_A Lan (192.168.2.1) and to Router_B Lan (192.168.1.1).

Yes, I can ping clients connected to Server2 while being on the Server2 LAN.

1 Like

Great to hear it is solved :+1:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.