I am having a hard time figuring out how openvpn clients (client to site) can access an remote network over an ipsec tunnel.
I have two sites, each site with an ipfire instance. They are connected by ipsec (192.168.1.0/24 and 192.168.10.0/24).
Traffic from green to green between those sites, works great.
But when i connect to one of the ipfires with an openvpn client, i can only reach green on that ipfire. I want to reach both.
I have successfully pushed routes to both green networks to the openvpn client. I can not see any drops in the firewall logs. I have also experimentet with some firewall rules to make sure the openvpn client subnet is allowed on the «remote ipsec green subnet», but with no luck.
The IPSEC connection should be transparent and allowed once connected to the first LAN segment by openvpn. There have been a few instances of proper rules not working when crossing subnets, especially interested.
This should definitely work, but I tried this on my IPFIRE machine. Made it so openvpn access is allowed to local green subnet and remote IPSEC subnet but connections still fail to remote subnet.
Update - Tried making firewall rules pushing OVPN to IPSEC and vice versa using NAT forcing all to Green and not using NAT. None of the rules will work to access the remote subnet.
In your IPsec configuration have you added the OpenVPN subnet to the configuration?
I don’t use OpenVPN in IPF so I don’t know what firewall rules it generates, but it may also work if the OpenVPN subnet gets MASQUERADE’d in the POSTROUTING chain of the firewall.
Today I made a test so that the OpenVPN RoadWarior client connected to IPFireA has a connection to the green IPFireB network
(IPFireA and IPFireB connected by IPsec tunnel)
I added an “OpenVPN subnet” from IPFireA to:
-IPFireA (IPsec tunnel settings) to the “Local subnet” field.
-IPFireB (IPsec tunnel settings) to the “Remote subnet” field
I guess becaus i can not “IPSec” the OpenVPN Network, the remote site does not accept this. I can only use my green subnet.
So my guess was SNAT??
My Setup
Green: 192.168.2.0/24
IPSec Remote: 172.22.33.0/24
OpenVPN Roadwarrior Pool: 10.206.191.0/24
OpenVPn dynamic Pool: 10.206.190.0/24
On green i can connect to servers on Remote IPsec site
Connecting via OpenVPN to green gives access to green Servers
i push the OpenVPN route to IPSec Remote
i played with firewall rules (SNAT, DNAT) but on OpenVPN Client i can not even ping a single IPsec Remote Server eq. 172.22.33.209. the result is “remote network not availiable”
IPsec is a weird beast and does some low level things to the packets in the kernel so it can bypass a lot of the firewall. I had a feeling SNAT (or MASQUERADE) would not work because of this.
Does your remote end allow you to add another tunnel definition, perhaps with the same credentials?
Another trick you can pull is to move your OpenVPN subnet adjacent to your LAN subnet. Then you just use one tunnel with IPsec with the larger subnet. e.g. if your LAN subnet is 172.16.0..0/24, make your OpenVPN subnet 172.16.1.0/24, then set up your IPsec tunnel with 172.16.0.0/23.
