I have a number of users on Teleport VPN and it works great for LAN assets. but we have a site-to-site for ERP and none of the teleport users can connect to anything on that network. firewall rules are incredibly confusing to me; how do i make it so teleport users (on 192.168.2.x) can reach the S-T-S VPN subnet of 172.16.124.208/29? i can’t find any info on this online anywhere 
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
I was struggling with this myself trying to setup s2s. I ended up using site magic. Within that it lets you share subnets easily and it works with teleport clients as well. Would highly recommend
As for the more manual s2s option… from what I found, if you don’t create static routes for the subnets, the router is unaware of the subnets on the other end of the s2s VPN and tries routing traffic to the internet instead.
I got stuck here because I was able to create the routes and ping the remote routers management IP but could never ping clients on that subnet. Although come to find out windows 11 doesn’t like being pinged anymore so it may have actually been working.
So I would research static routes. I would assume there would need to be a static route from 192.168.2.x to 172.16.124.208/29.
thank you! i can’t use site magic because the other end is a vendor network running juniper stuff. and the s2s works fine, if you’re plugged into the local network. only the vpn clients can’t reach it; it’s not even an issue of pings not responding, i’d be fine if ICMP echo wouldn’t pass through and everything else would; but zero traffic goes between them. i’ve looked at static routes, but the UI won’t let me select the s2s as a destination.
Any luck with this? Currently in same boat.
ended up having to use L2TP vpn instead.
Interesting, my von clients connect via L2tp-psk. My site-to-site is a IPsec connection. They refuse to talk.
never mind, I was thinking of another site. we got around it by using a win2012r2 RDS server to host the application that needs to speak to the IPSec connection.
That’s what we’re going to do as well. Can’t waste any more time on this hardware.