SRX with OpenVPN: Can ping but can't access servers/services through tunnel

Site Feedback
1

I didn’t want to necro this thread and I know it’s one thing I’m forgetting, but its pretty close to where I am.

Internal network for the SRX is 10.10.82.0/24

VPN network is 10.8.0.0/24 and is in an address book connected to the trust zone

set security address-book trust-ab address OpenVPNNet 10.8.0.0/24
set security address-book trust-ab attach zone trust

The VPN server’s IP is 10.10.82.11. and I have a static route on the SRX to point all traffic to this IP

set routing-options static route 10.8.0.0/24 next-hop 10.10.82.11

My security policy from zone trust to zone trust is any any any permit

set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit

I can see the flow session when I ping:

Session ID: 3537, Policy name: trust-to-trust/4, Timeout: 2, Valid
  In: 10.10.82.6/2 --> 10.8.0.131/23;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 1, Bytes: 84,
  Out: 10.8.0.131/23 --> 10.10.82.6/2;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,

but nothing when I try to reach an internal website.

2

So is 10.8.0.0/24 network kind of virtual network thats inside OpenVPN server? And then OpenVPN server has physical interface with 10.10.82.11 that talks with SRX?

And then destination IP:s you want to connect via OpenVPN is at 10.10.82.0/24 network?

3

So what I had to do to make it work was add my home network to the trust address book

set security address-book trust-ab address OpenVPNNet 10.8.0.0/24
set security address-book trust-ab address home-net 10.10.82.0/24 set security address-book trust-ab attach zone trust

Or so I thought. It’s just not at all reliable.

4

Tried playing with this in chatgpt ai for the hell of it and got it pretty close to the real config as simple as a stanza this is. I think it comes down to your wording/question you ask it (include all your statements) but I’m going to be out of a job soon in a few years from the looks of it… lol If you haven’t checked it out something to play with…

5

Yes, it seems to work only after I jump on a machine Im trying to reach and run a traceroute to the IP of the VPN client.

6

I think your problem is asymmetric routing. OpenVPN server sends traffic directly to target server since they are in same subnet. But when target server responds, it doesn’t know where 10.8.0.0/24 is and sends it to gateway (SRX). SRX sees that it gets only half of the communication and discards it by default.

I think best solution would be move OpenVPN server to another subnet so that all traffic goes trough SRX. Or if you don’t care security you can allow asymmetric traffic:

https://supportportal.juniper.net/s/article/SRX-How-to-selectively-disable-TCP-SYN-or-sequence-checking?language=en_US