I'm running a Flint2 serving as the vpn-server and a Spitz AX as vpn-client and wanted to setup my Spitz network without NAT so it's routed and reachable from the Flint2 network. Any ideas on how to achieve this using the Gl-inet GUI (I want something that won't break on the next update)?
I could remove the masquerade settings on both routers. I reckon my Spitz network would reach the Flint network since all traffic is routed that way (allowed ips:s) and the Flint server knows where to route it's own local network,
What I haven't figured is how to let clients on my Flint 2 network know about the route to the Spitz network. I.e. is there any settings to add routing rules only for the Flint 2 router?
I saw the Route Rules for the VPN server in the VPN Dashboard but I couldn't find out how to use it, it says it overrides the default routing rules the server emits to the client. But my problem is the opposite, I need to let the clients on the Server network know about the remote subnet.
GL firmware OpenVPN has a TAP mode, which is aka Site to Site.
Spitz AX and Flint 2 are currently supported in the latest firmware, it is v4.7.4 and v4.7.7 respectively.
After Spitz AX (Client) is connected to Flint2 (Server) with OpenVPN TAP, Spitz AX will turn off the routing function.
Spitz AX's client DHCP IP is allocated from Flint2.
All Spitz AX's client networks are Flint2's LAN, which is similar to Layer 2 bridges. All data arrives at Flint2 without NAT.
Thanks, so that's bridged networks if I understood that correctly, right?
I was looking for routed subnets, but without NAT. I.e. where I can have a routed subnet boundary on each site but they know how reach each other so I can address devices on both networks from either network.
From my understanding I could achieve this just by adding a route for the clients on my server lan. Client lan to server lan is solved automatically since I forward all traffic from my client lan to the server lan.
But to enable traffic from my server lan to my client lan I would have to use the tunnel endpoint IP and setup port forwarding on the client router. I would like to just add a route for the clients on the server lan instead. Or enable VPN without NAT somehow.
I'm getting "Destination port unreachable" from the client lan router (10.0.0.5) when I try to ping a device on the client lan from the server lan.
Running tracert from the server lan device (IP 192.168.1.10) shows the package is routed correctly to the client router (10.0.0.5, VPN endpoint IP for the client lan router). But the client lan router responds the target computer can't be found on the client lan (i.e. Destination host unreachable).
If both computers are on the sam lan ping works so its not a client device firewall issue.
Do i have to change any firewalls settings in the client lan router to let ICMP requests through?
So how does the route setting affect IP masquerading? I still have masquerading enabled on both the server and client lan router. Which doesn't sound correct.
Wouldn't I have to disable masquerading for traffic targetting the client lan and the same on the client lan router? I can't find any settings on the server side to only disable masquerading for just a particular vpn client connection, it seems to be a global setting for the vpn server.
. The guide works with masquerading being on at both sites as long as you enable "Allow remote LAN access".