Connection to 2 different VPNs - support needed

Hi,

Network A (IP-Fire)
network 192.168.1.xxx

Network B (Raspberry behind Router)
local network 192.168.2.xxx
running a OpenVPN Server?

Network C (Raspberry behind Router)
local network 192.168.3.xxx
running a OpenVPN Server?

VPN Connetction from A to B and A to C at the same time needed, but not from B or C to resources good network A. I will reach all clients in B and C.
For my understanding, I don’t need a site2site, means two Roadwarrior connections to B and C. So I think, I need two client connections (with two different tun interfaces) from network A, means the IPFire.

Is it possible to realize it in that way? If yes, how can I achieve it?
Hints and how-to would be appreciated.

Thanks in advance.

Hi,
if you want access to both network in one connection, Net-2-Net is made for this. IPFires OpenVPN web UI do not provides regular client options (in Client-2-Net mode), nevertheless you can configure via the “advanced client options” an option called " IPFire has access to these networks on the client’s site", please RTFM --> https://wiki.ipfire.org/configuration/services/openvpn/config/client_conf .

Best,

Erik

Hi ummegge,
first of all I want to thank you for you response. Going into detail I will mention that I will administer the networks B and C from the A side and prevent clients in B and C to reach clients in A. Up to now, I’ve installed at the raspberries (in B and C) an openVPN server and reach them via openVPN client (on a regular PC) from A. In your second option I have to change them from server into clients, right? Am I right, I would think, that your first option with the net-2-net connection would be easier to realize.

Hi Little Falter,
you are welcome.

am thinking so too. You would need to setup a p2p topology since N2N on IPFire operates in that mode, please check then the configuration file from IPFire to set it up correctly on your RasPi´s.

Best,

Erik

Ok, when I realize a net-2-net connection f.e. A to B and I want only to access ressources in B. How I can prevent that ressources in A can be accessed from B?

Hi Little Falter,

that one should be easy. Just use the firewall or in other words RTFM --> https://wiki.ipfire.org/configuration/firewall/rules/filtering-vpn .

What might be interesting for others, how did you now configured your RasPIs to connect to IPFires N2N ?

Best,

Erik

Hi,
it takes a little bit until I’ve finished my configuration. But it seems you and maybe other readers too, are interested in a howto. So I’m not the creator so I’m following the the step-by-step from the IT-Kitchen blog (Thanks to Peter Stanke). If you want, you can take a quick overview and please give a feetback, if there is something wrong explained or what could be done better.

Regards

Little Falter

Hi Little Falter,

thanks for that, may it is useful for others.

OK, am not really sure why he converts the PKCS#12 file to PEM since N2N do not uses a password protection for the *.p12. You can do this but it is another step which you probably won´t need since the OpenSSL lib in an RasbPi should be able to handle PKCS#12…
Another point which i currently do not understand why he not uses the lowered privileges (–user and --group), without this entries the process runs as root, this option is useful to protect the system!
The debugging option are a good start to set up the connection but i missed somehow the draw back (enable the daemon/writePID again) but may this was thought to be evident for others ? Not sure about that…

Best,

Erik

Thanks a lot for your comments and I agree with your concern. So I would suggest to finish “his way” and get it running. After that, I will try to fix your points. It’s just a PoC-system so I have no problem with reset it and starting at point 0 in another way.

—Update—
By the way, I found a thead in the old ipfire forum, where you discussed the same howto with somebody else :wink: long time ago.

Your welcome :slightly_smiling_face: .

Autsch… Gosh am getting soon older :eyes: but some questions seems to be timeless :woozy_face: .

If you have some news, just write them.

Best,

Erik