Cannot allow packets from OpenVPN client to another: Source and destination are identical

larsen · 27 November 2023 14:17

Hello,

I want to be able to use WinRM to gather information from coworkers inside our Windows domain when I’m connected to the company’s network via OpenVPN. This does work for clients that are in the GREEN network, but packets to clients connected via OpenVPN are rejected:

Nov 27 14:55:15 atl-ipfire kernel: REJECT_FORWARD IN=tun0 OUT=tun0 MAC= SRC=10.119.127.26 DST=10.119.127.150 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=58564 DF PROTO=TCP SPT=54939 DPT=5985 WINDOW=64923 RES=0x00 SYN URGP=0

I tried to create a firewall rule that allows traffic for tcp port 5985 from OpenVPN to OpenVPN, but the GUI doesn’t allow this: “Source and destination are identical.”

While I agree that those two networks are the same, I still think that it should be possible to create a rule as apparently the packets are flowing through IPFire.

Is this a bug?
What would be a workaround or the correct way?

Best regards,
Lars

IPFire 2.27 (x86_64) - Core-Update 179
Default firewall behaviour (forward): blocked

tphz · 27 November 2023 14:30

I’m afraid it may be difficult to help you, without knowing the topology and addressing of your networks.

The link below leads to a topic that may be similar to your case.

Regards

larsen · 27 November 2023 14:53

To clarify: Company with IPFire running OpenVPN. Clients are roadwarriors, no site2site.

tphz · 27 November 2023 15:50

To clarify: also applies to roadwarriors.

pike_it · 27 November 2023 21:59

Examples.
A. That’s your computer. So it’s connected via OpenVPN to Green.
B. That’s your AD Domain Controller. Should have a Green address.
C. That’s your co-worker computer, should be connected via OpenVPN.

Unless you’re not allowing connection between OpenVPN clients… Firewall should not be bothered at all because it’s simply routing between clients on the same zone (OpenVPN) and on the same subnet (OpenVPN subnet).

Otherwise, you should connect from A to B (or another AD server) using RDP then use WinRM to query C…

larsen · 28 November 2023 11:53

Ah, good point. I forgot about the “Advanced server options > Client-To-Client” option. Can’t test until later, but this should work. Thanks!

pike_it · 30 November 2023 09:20

Up? You marked the answer as solution but… Would like to know if it’s really the solution

larsen · 30 November 2023 10:27

My bad. Yes, after I enabled client-to-client I was able to use WinRM from one VPN client to another.

pike_it · 30 November 2023 12:26

Yay. Glad to help.

Remember. allowing client-to-client communications also have… downsides.