Accessing Fritzbox network through OpenVPN

I have a few difficulties setting up the following - i can’t access the other PCs via openVPN:

                          |--- Ipfire (red), with openVPN
 Internet --- Fritzbox ---| 
                |         |--- Ipfire (green)
           other PCs and NAS

So after forwarding port 1192 on the FritzBox to the Ipfire (red), a VPN tunnel can be established from outside my location. OpenVPN settings on the Ipfire are all standard settings.

But I am not able to access the other PCs that are connected to the Fritz-Box. How can I achieve that?

I already enabled access to GREEN on the clients options under “Client has access to these networks on IPFire’s site”.

What else do I need to set up? Firewall rules on the Ipfire? Something on the Fritzbox?

Thanks for your help in advance!
Best wishes!

Solved, solution will follow


A firewall rule allowing all traffic from VPN to Green is necessary, as well as …

… As well as a static route an the Fritz Box routing all traffic to the VPN subnet through the Ipfire Green IP.

I would connect “other PCs and NAS” to the IPFire green network, not to the Fritzbox. This way you protect your PCs with IPFire.




I also agree with both of you.
However, I chose this setup to get the VPN up and running as quickly as possible.
This way no settings need to be changed (VOIP in the Fritz Box + additional VOIP server, Fritzbox Site to site VPN needs to work as long as the IPfire is not fully configured and so on)
So in principle, this setup can be changed to what you suggested.


I have a similar setup with OpenVPN Net-to-Net and 2 Ipfire Boxes and a Fritzbox at Home:
Site[A]-ipfire Office Public IP <-----> Site[b]-fritzbox with public IP / Site[b]-ipfwire-red with IP: and Site[b]-Green:

However I had to create the following firewall rule on Site[A]-ipfire ( to access Site b Green ( network

Site A(ipfire) Source → Firewall: All / NAT: Source NAT: New source IP address: Green ( / Destination: OpenVPN Net-to-Net / Protocol: All ).

The rule will then appear in the " Outgoing Firewall Access" in the Firewall Rules list.

Do you have the same setup ? because I’m not sure if this is correct (but it works for me :wink: