VPN to home while at a site that has a VPN connection with home

Got a network/routing problem that is stumping me at the moment:

I have at home (Site A) a wan-zone interface that I use to policy route through (Site B). The other endpoint (Site B) has the vpn interface in a firewall zone set input/output/forward as reject/accept/accept. That fw zone has the vpn interface, and the bridge interface for the network I’m connected to. The tunnel allows me to route through the remote endpoint(A > B = go), but the remote endpoint can’t access my home (B > A = no-go).

Now I’m physically at that remote endpoint (Site B), and connecting my vpn profile on my phone can’t connect to my home. Turn off Wi-Fi and use cellular, the vpn connection handshake completes and I’m golden, so it’s something to do with the tunnel that exists between the sites.

I’ve added a route on this Site B endpoint for my home Site A subnet, as well as adding my home subnets to the allowed IPs of the peer connection. No go.

I have a fw port forward at Site A set as “from:wan zone, to: this device port 51820, forward to vpn zone:interface ip:51820”. Likewise, another device in my home network runs a wg vpn server listening on 51820, mapped to wan 51823; connecting to this vpn server also fails while connected at Site B.

I feel like it’s something obvious and simple that I’m missing. Anyone have an answer?



Firewall rules on Site B



FW zone/port forwardforward/traffic rules on Site A (home)

Figured it out. It was simple. banip managed to include the public IP of Site B in the blocklist. Happened back on 10/20, and I don’t have syslog records back that far, so I can’t see what triggered it. Because the tunnel between Site A and Site B has the handshake initiated by Site A, the tunnel is able to reestablish anytime it restarts. Removed the IP from the blocklist, and now I can connect as expected.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.