Site 2 Site OpenVPN

Hello,

I ve a gl-inet running with openwrt 18.06.
I ve set up a site2site vpn with openvpn.
vpn server is running on opnsense
I ve no probelem to reach from the openwrt site the other site

network overview

NAS-192.168.2.123+---192.168.2.0/24---+192.168.2.1-Opnsesne- 10.11.10.1+---10.11.10.0/24---+ 10.11.10.6GL-InetRouter(Openwrt)- 172.31.1.1+----- 172.31.1.0/24-----+172.31.1.249Client
tracert 192.168.2.123

Routenverfolgung zu NAS [192.168.2.123]
über maximal 30 Hops:

1 <1 ms <1 ms <1 ms GL-AR750 [172.31.1.1]
2 21 ms 21 ms 21 ms 10.11.10.1
3 22 ms 21 ms 22 ms NAS [192.168.2.123]

Ablaufverfolgung beendet.

with ping echo reply it is two way and routing should be fine.
but I can not access the network other way.

ash-4.3# traceroute 172.31.1.249
traceroute to 172.31.1.249 (172.31.1.249), 30 hops max, 60 byte packets
1 192.168.2.1 (192.168.2.1) 0.328 ms 0.281 ms 0.279 ms
2 * * *
ash-4.3#

I can reach the openvpn interface from the other side
ash-4.3# traceroute 10.11.10.6
traceroute to 10.11.10.6 (10.11.10.6), 30 hops max, 60 byte packets
1 192.168.2.1 (192.168.2.1) 0.315 ms 0.289 ms 0.275 ms
2 10.11.10.6 (10.11.10.6) 21.233 ms 26.276 ms 26.270 ms

i think I have a problem with on the firewall on openwrt.

Firewall1044×394 22.4 KB

may be you have a hint for me

This is a question about opensense since that is where the problem is. The 192.168.2.1 router does not have a route to the 172.31.1.0 network because the OpenVPN server did not install one. You should at least see a hop to 10.11.10.6 when tracerouting to 172.131.

Routes from clients to the server LAN are automatic, but to make connections the other way you need a client config directory etc in the OpenVPN server.

I am not sure, but the echo reply finds its way back, that is the reason why I think routing should work.

how can I solve this problem, where I ve to start?

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site