Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
449
Views
1
Helpful
7
Replies

Cannot access HTTPS/SSH through OpenVPN

Go to solution
netstudent88
Level 1
Level 1

‎01-31-2025 06:30 PM

Hello,

I'm attempting to access my Cisco Catalyst 1000 switches through OpenVPN. However, the connection just keeps timing out. Am I being blocked locally from the switch? I never added anything on the switch only the route on my OpenVPN confugraiton.

Do I need to allow access to the switch for my tunnel VPN?

My switch is on management VLAN 27

My tunnel network is currently UNTAGGED but just routed to my switch management VLAN. What is the best way to get access to the switches?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vishalbhandari
Spotlight
Spotlight
In response to netstudent88

‎02-04-2025 10:12 AM - edited ‎02-04-2025 10:12 AM

@netstudent88 If you want to access your Cisco Catalyst 1000 switches' GUI over OpenVPN, the key is ensuring the default gateway matches the correct VLAN for management traffic. Since your management VLAN is 81, setting the default gateway to an IP within that VLAN (like 10.0.81.1) was the right step, which is why it worked. The default gateway should point to the router handling traffic for the management VLAN, not necessarily the native VLAN. The native VLAN is used for untagged traffic on trunk ports, which doesn’t affect management access over VPN. So, your current setup is correct for GUI access via OpenVPN.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
vishalbhandari
Spotlight
Spotlight

‎01-31-2025 07:05 PM

@netstudent88 Yes, you likely need to adjust your network settings to allow VPN access to the switch. Since your switch is on VLAN 27 and your VPN tunnel is untagged, ensure that the routing between the VPN network and VLAN 27 is correctly configured. Check if there's an ACL on the switch or upstream devices blocking the traffic. Also, confirm that the default gateway for VLAN 27 knows how to route traffic back to your VPN subnet. Adding a specific route on the switch or firewall to allow traffic from your VPN subnet to VLAN 27 should help.

Go to solution
netstudent88
Level 1
Level 1
In response to vishalbhandari

‎01-31-2025 08:47 PM

Would it be possible for me to use the untagged native vlan for my switch GUI? I have it currently set to 2. I have read that you're never suppose to use vlan 1 for native. Then I wouldn't need to mess with the routes?

However, this is still really just vlan 2 isn't it?
0 Helpful

Go to solution
netstudent88
Level 1
Level 1
In response to vishalbhandari

‎02-03-2025 05:11 PM - edited ‎02-03-2025 05:19 PM

I found the issue and it fixed the problem. All my routes are fine and the vlan tagging is happening as needed. It was the default gateway was still set as 10.0.0.1. My management VLAN 81 i could access my switches gui; however, I could not over openVPN. I thought setting this interface to dhcp wiht vlan81 would update the default gateway. I went and changed my default gateway and i could access my gui's.

Is this the correct way to configure the switch if i want the GUI to be available over my mgmt vlan?

This is the incorrect configuration. I changed the below to 10.0.81.1 and I was able to access my switch gui over openvpn. However, this is not my native vlan. My native vlan is something else. Should this be set to my native vlan?

 

interface Vlan81
 ip address dhcp
!
ip default-gateway 10.0.0.1
!
no ip http server
ip http banner
ip http authentication local
ip http secure-server
!

 

 

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to netstudent88

‎02-03-2025 08:48 PM - edited ‎02-03-2025 08:51 PM

Hello @netstudent88 ,

routing happens at OSI layer 3.

802.1Q VLAN tagging happens at OSI layer 2

For a L2 switch with ip routing disabled the only way is to use the correct default gateway that has to be a router or core multilayer switch that is able to route back to the source subnet of OpenVPN remote access VPN.

Example: the OpenVPN server uses a pool of 192.168.150.0/24. When you conect with openvpn your PC gets an IP from that pool.

The switch default gateway has to be able to route back to 192.168150.0/24 to provide bi-directional IP connectivity.

 

Usually this is called ensuring th have a return path it is a routing issue only , in which VLAN is the managment SVI of the L2 siwtch is not important.

Use the 7 layers OSI model as a reference.

Hope to help

Giseppe

 

0 Helpful

Go to solution
vishalbhandari
Spotlight
Spotlight
In response to netstudent88

‎02-04-2025 10:12 AM - edited ‎02-04-2025 10:12 AM

@netstudent88 If you want to access your Cisco Catalyst 1000 switches' GUI over OpenVPN, the key is ensuring the default gateway matches the correct VLAN for management traffic. Since your management VLAN is 81, setting the default gateway to an IP within that VLAN (like 10.0.81.1) was the right step, which is why it worked. The default gateway should point to the router handling traffic for the management VLAN, not necessarily the native VLAN. The native VLAN is used for untagged traffic on trunk ports, which doesn’t affect management access over VPN. So, your current setup is correct for GUI access via OpenVPN.

0 Helpful

Go to solution
netstudent88
Level 1
Level 1
In response to vishalbhandari

‎02-04-2025 03:29 PM

Thank you. Yes, but what is the purpose of this line? This specifies the address of the gui? How is this related to the gateway?

interface Vlan81
ip address dhcp

0 Helpful

Go to solution
Joshqun Ismayilov
Level 1
Level 1

‎02-04-2025 11:10 AM

Hello @netstudent88  ---
yes, you likely need to explicitly allow access to the management VLAN (VLAN 27) from your OpenVPN tunnel.

0 Helpful
Customers Also Viewed These Support Documents