I‘m migrating my pfSense to OpenWRT
(APU2 with 2x WLE900VX and lots of openvpn servers and clients).
All openvpn servers and clients (wirh vpn splitting and vlans work, except with site-to-site where I‘m stuck.
Followed openvpn extras (thanks!) and used openvpn config parameters from pfsense which I adapted for openwrt (ie folders).
The other site is an openwrt router remains unchanged, as it worked with pfsense.
I‘m almost there, from the home router (ssh into apu2) I can ping and ssh into the other site‘s router, but I cannot do that from any lan device from the home site, the home router somehow blocks.
So I guess it may be some firewall rule on the home router which I need to add ?
You could post here some configs and troubleshooting: uci show network; uci show firewall; ip -4 addr; ip -4 ru; ip -4 ro ls ta all; uci show openvpn
If you have used different file for openvpn configuration, e.g /etc/config/server.conf, post it here too.
Use preformatted text </> and remove any sensitive data, like passwords/keys/Mac.
I am not so sure you can have both server and ifconfig in the same configuration. float is not needed when you are confuring the server.
Other than that I don't see anything very wrong.
Just in case these won't work, I suggest to create a basic server config and then customize it to your needs.
Switched off float and ifconfig, no impact.
As you stated, it must be somerhing on the server side, I‘ll try to minimize to openvpn basic openvpn commands in the server conf file.
cheers Blinton
I found the error, which was in the firewall, permuted src and dest for lan and server...
However, wanted to block the ssh port to the router from the second site (config rule, target REJECT) which doesn‘t block. Maybe I need to use something with DNAT (what‘s the difference) ?
How do you write this rule?
DNAT is for rewritting the destination fields of the packet, i.e different IP and port.
A rule will allow or deny (or do other things) to a packet.
If you specify both src and dest, it is FORWARD rule, however you need INPUT rule.
dest zone name no (none) Specifies the traffic destination zone . Must refer to one of the defined zone names , or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.