Accessing remote lan over site to site from a Openvpn client

[elorimer]

I have two Asus routers with Merlin, connected site to site with OpenVPN

Site A has an OpenVPN server (AX88, Merlin 388.9, 192.168.50.xx). Site B has an OpenVPN server and client (AX86Pro, 3006.102.4, 192.168.10.xx). Site B is connected as a client to Site A, and all devices on the Site A network can reach all devices on the Site B network, and vice versa (NAS devices, and RDP computers), because I have a route back to 192.168.10.xx in the allowed clients box of the site A Server. If I connect remotely to the Site A server, I can reach all devices on the Site A network, but not Site B's network; if I connect remotely to the Site B server, I can reach all devices on the Site B network but not on the Site A network. I want to be able to reach everything on Site A and Site B when connected to either site's server. I thought I had this working in the past, but that might have been with windows 10 and of course earlier firmware versions, but I seem to have a routing or firewall issue. Hints?

A further complication is that I would like to connect remotely from a travel router (192.168.8.xx), and have devices on its network reach Site A and Site B. If I connect to Site A, I can reach everything on Site A, and if I connect to Site B I can reach everything on Site B, so I think I have to solve the first issue before tackling the second.

 

[visortgw]

Have you considered using VPN Director (within Merlin firmware/GUI) to simplify and resolve your issues? It's infinitely configurable.

Both my local network (192.168.222.0/24) and remote network (192.168.1.0/24) have OpenVPN servers — I have site-to-site OpenVPN client connections from local to remote and from remote back to local. I use VPN Director to manage which devices from each site can access which devices at the other site:

1. Selected IP range on local network (192.168.222.11/29) can access any device on remote network;
2. NAS on remote network (192.168.1.3) can access NASs on local network and vice versa for backup and configuration.

Local site rules:

Remote site rules:

 

[elorimer]

I don't have any issues reaching any device in site A from any device in Site B, and vice versa. That is handled by a route in the Allowed Clients box.

My issue is that if I connect from another place as a client to a Site A server, I can't reach any device in Site B; and if I connect from another place as a client to a Site B server, I can't reach any device in Site A.

 

[visortgw]

I don't have any issues reaching any device in site A from any device in Site B, and vice versa. That is handled by a route in the Allowed Clients box.

My issue is that if I connect from another place as a client to a Site A server, I can't reach any device in Site B; and if I connect from another place as a client to a Site B server, I can't reach any device in Site A.

I will try something later today and report back (after I cut the lawn).

 

[elorimer]

I went back to basics and started over. Part of what I had in mind works now.

1. Just having the two separate subnets in the Allowed Clients box of the same OpenVPN server allows devices on the subnets of the two clients to reach each other. This was what I had working before, and I can see how the firmware implements the routing described in the OpenVPN documentation.
2. I haven't figured out yet how a client of an OpenVPN server on a router connected site to site as a client to a second router with an OpenVPN server, can reach devices on the subnet of the second server.
3. I haven't figured out how a client of one OpenVPN server can reach a client of the second OpenVPN server. This was what I was hung up on until I went back to #1.

So I still have some routing things to understand, but not a pressing need for it beyond curiosity.