Server Untangle rtr has issues connecting to client that is connected to rtr via VPN

[jkchapman]

I have a client that is a small retail company. They have an Untangle router at the company office with Open VPN configured for users to connect from home. The have recently updated their POS system to a server/client model. The system runs on Windows environment. The POS systems in the store needs to connect to the POS server at the home office for PLU downloads and polling (sending sales stats back to home office). The stores all use the ISP modem/router and the company does not want to upgrade all these. We have setup OpenVPN clients on the POS system in the stores. The POS systems are able to connect to the POS server and download the PLUs and other items. The issue is with the polling. This actually happens from the server. It reaches out to the servers to download the info. The server can't see the POS systems. I can't ping any of the POS systems at any of the stores when the stores are connected to OpenVPN but the sites can all ping the POS server. Is this able to be done with OpenVPN & Untangle outside of the limits?

The company HQ has an ip scheme of 10.X.x.x and the VPN is giving out 172.x.x.x

[sky-knight]

I have good news, and I have bad news.

The good news is, I know how to fix what you're dealing with. The bad news is... over time you're going to HATE IT. I HIGHLY recommend you upgrade the stores to use an Untangle in their defense so you can properly utilize site-to-site tunneling.

But then again... I'd never host something like this in a home office either, I'd be putting it in Azure where it belongs...

If you REALLY want to not use Untangle everywhere, or at least invest in something powerful enough to have OpenVPN on it, then you're really going to need an SDLAN solution. But I digress...

The reason your server cannot access the clients is because you didn't export the OpenVPN address pool range, and very likely also have OpenVPN configured to NAT everything too.

Apps -> OpenVPN -> Settings -> Server TAB (I recommend DISABLING, the NAT OpenVPN Traffic box.) Beware... this will cause issues... more in a bit

On the Server tab are subtabs, one is Exported Networks, you need to export the OpenVPN address pool range. If you're unsure what it is, look left... it's in the Address Space box just above the NAT box I was talking about before.

Now... about NAT.

If you enable NAT, all OpenVPN software clients are seen by the Untangle protected network as Untangle itself.
If you disable NAT, all OpenVPN software clients will be seen by the Untangle protected network as themselves.

Generally, the latter behavior is desirable... HOWEVER. The Windows Firewall will by DEFAULT prevent any and all access to local services, including ICMP (ping), from any network that isn't local. That is to say, the same IP range the machine itself has. This means that to get this all to work you're going to have to muck with the Windows Firewall on both the server that houses this information as well as each register.

THIS is the process that I was warning you about, it will suck up buckets of time to sort out, and then even more to maintain. Windows Firewall is notorious for simply losing its mind if it doesn't have group policy to control it. And given the scope of what you describe here, I have no reason to think you have a Domain Controller lying around.

Which is why I mentioned SDLAN, because if you're going to do all this... you should probably simply Zerotier it and move on.

[jkchapman]

Thanks for the info. I did have the VPN network already in the exported networks tab but didn't have NAT turned off. IF only the POS could be configured to sent the data to the server instead of the other way around