Hi all,
I’m having trouble routing traffic through a client OpenVPN tunnel to main site then out a S2S OpenVPN tunnel to a resource at a remote office.
All traffic through the S2S and Client connections is flowing perfectly on their own, but we cannot communicate across two VPNs…
Suggestions?
Thanks!
It should work by adding the networks to the OpenVPN server the users are connecting to.
Make sure the routes to both VPN subnets show up in the routing table at your “hub” site and at remote office site. You may have to make sure all the subnets are in the S2S and client VPN config, or maybe add rules based routing or static routes depending on exact situation. Many times with S2S VPNs, the subnets for the “road warrior” VPNs do not show up at remote sites, especially if you’re using different address space (i.e. 192.168.x.x for offices, but 172.16.x.x for client VPNs)
The first troubleshooting step for any routing issue, look at the routing tables to see the various routers are sending traffic…
Thank you for the inputs and sorry for the missing reply.
I ended up changing the Client VPN to TAP, then I had no problems routing out to the remote site.
So you went from layer 3 VPN to Layer 2? One way to get around a routing issue 
I do use Open VPN Tap as a Layer 2 VPN in some industrial (actually waste water utility) applications, as some of the “automagic” protocols the PLCs use are broadcast/multicast dependent and the systems integrator used does not have staff with extensive networking knowledge, so I just provide them a virtual private line between all locations, so all the PLCs appear to be on one LAN (we could make it work on a routed network, but it would be a lot of back and forth with them on configs, etc.)…
We use OpenVPN Layer 2 on pfSense. It works like a charm and gets you around issues with applications that are not designed to work across subnets.
It is not ideal for large implementations as it carries all the broadcast traffic across but it is ok for a small number of nodes.