I realize this is totally non-Hubitat related (except it kinda isn't) but this is the best place I have found to find willing people who answer questions.
I have two homes with an IPsec tunnel between them. Works great when I am at home to access the second site and when at second site to get to home. I also have an OpenVPN client to site where I can remotely access either home or second home, but I have to select which one to connect to. I am hoping to configure it so if I connect to either site via OpenVPN I can also access the other site, without disconnecting from one and connecting to the other. I have tried to find the right term to describe what I am trying to do, but have failed to find it.
Split tunnel and VPN passthrough are two terms I have found, but don't appear to be what I am looking for, I think.
If it makes a difference, I am using a tp-link ER605 at each site. Site A has subnet 192.168.123.0/24 and site B has 192.168.250.0/24. When connected to site A I get an IP address of 192.168.124.0/24 and at site B I get 192.168.251.0/24. It seemed to me that if I extend the IPsec tunnel to allow at site A to allow remote subnet 192.168.250.0/23 and site B to allow remote subnet 192.168.123.0/23, that would allow traffic to pass, but it doesn't work. Suggestions?
I'm assuming from what you said that you are using the same TP-Link router to connect to remotely. So when you VPN in, it only sees its local network. Seems like the cleanest solution is to use the IPSec tunnel to connect your two homes and a SEPARATE VPN solution for remote access. I use a Raspberry PI PiVPN to get remote access. You would only need to have it at one house, or the other. It would get you access to both homes as they both "appear" to be local to each site. You can use OpenVPN or WireGuard. I recently switched from the former to the latter. If you have a Pi this would be a very fast solution. It's an option and I"m quite confident it would work.
See: https://pivpn.io
A and B can communicate between the LAN's via IPsec tunnel. Remote PC can either connect to A or B via OpenVPN, but not both at the same time. Connecting to A then to B drops connection to A and vice versa.
I think I have the IPsec tunnel defined to allow the traffic from the extended subnets to pass, but it is being blocked by something. It may just not be possible to configure it this way, but don't know the magic googlese to find it.
You have 192.168.122.0/24 for the OpenVPN os Site B, but no me tion of that in the first post. It also wouldn't be inside of 192.168.123.0/23
Same thing for site A where you have 192.168.250.1/24.
Either way...assuming your using the firewall feature on the router...I'd start looking there. It could simply be a policy that's blocking the connectivity.
Can you ping an IP at site B when using OpenVPN to site A?
Right. That's my point. I believe that if instead you connected to either one of the Rpi's it would work. I'm not sure that the site-to-site IPSec VPNs will route traffic properly to both tunnels. But, someone might prove me wrong. Why not try it?
Because I am getting rid of the Rpi's. This is really just a matter of saving myself a total of three clicks to change from one site to the other, so it's not a real big deal, just was hoping to simplify my work process.
When connected to OpenVPN, are you able to browse the internet from the site's WAN connection? Googling "what's my IP" while connected to the remote site will tell you for sure.
I asked about Windows, because it tries to do "intelligent" split tunneling which may not work. Not sure about the iOS implementation.
Maybe this would be easier if you could show your IPsec setup (obviously masking the key and public IPs). I'm wondering if the routers are blocking the OpenVPN subnets from accessing the tunnel.
