Cannot allow packets from OpenVPN client to another: Source and destination are identical


I want to be able to use WinRM to gather information from coworkers inside our Windows domain when I’m connected to the company’s network via OpenVPN. This does work for clients that are in the GREEN network, but packets to clients connected via OpenVPN are rejected:

Nov 27 14:55:15 atl-ipfire kernel: REJECT_FORWARD IN=tun0 OUT=tun0 MAC= SRC= DST= LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=58564 DF PROTO=TCP SPT=54939 DPT=5985 WINDOW=64923 RES=0x00 SYN URGP=0

I tried to create a firewall rule that allows traffic for tcp port 5985 from OpenVPN to OpenVPN, but the GUI doesn’t allow this: “Source and destination are identical.”

While I agree that those two networks are the same, I still think that it should be possible to create a rule as apparently the packets are flowing through IPFire.

Is this a bug?
What would be a workaround or the correct way?

Best regards,

IPFire 2.27 (x86_64) - Core-Update 179
Default firewall behaviour (forward): blocked

I’m afraid it may be difficult to help you, without knowing the topology and addressing of your networks.

The link below leads to a topic that may be similar to your case.


To clarify: Company with IPFire running OpenVPN. Clients are roadwarriors, no site2site.

To clarify: also applies to roadwarriors. :wink:

A. That’s your computer. So it’s connected via OpenVPN to Green.
B. That’s your AD Domain Controller. Should have a Green address.
C. That’s your co-worker computer, should be connected via OpenVPN.

Unless you’re not allowing connection between OpenVPN clients… Firewall should not be bothered at all because it’s simply routing between clients on the same zone (OpenVPN) and on the same subnet (OpenVPN subnet).

Otherwise, you should connect from A to B (or another AD server) using RDP then use WinRM to query C…

Ah, good point. I forgot about the “Advanced server options > Client-To-Client” option. Can’t test until later, but this should work. Thanks!

Up? You marked the answer as solution but… Would like to know if it’s really the solution :wink:

My bad. Yes, after I enabled client-to-client I was able to use WinRM from one VPN client to another.

Yay. Glad to help.

Remember. allowing client-to-client communications also have… downsides.