Network B (Raspberry behind Router)
local network 192.168.2.xxx
running a OpenVPN Server?
Network C (Raspberry behind Router)
local network 192.168.3.xxx
running a OpenVPN Server?
VPN Connetction from A to B and A to C at the same time needed, but not from B or C to resources good network A. I will reach all clients in B and C.
For my understanding, I don’t need a site2site, means two Roadwarrior connections to B and C. So I think, I need two client connections (with two different tun interfaces) from network A, means the IPFire.
Is it possible to realize it in that way? If yes, how can I achieve it?
Hints and how-to would be appreciated.
if you want access to both network in one connection, Net-2-Net is made for this. IPFires OpenVPN web UI do not provides regular client options (in Client-2-Net mode), nevertheless you can configure via the “advanced client options” an option called " IPFire has access to these networks on the client’s site", please RTFM --> https://wiki.ipfire.org/configuration/services/openvpn/config/client_conf .
first of all I want to thank you for you response. Going into detail I will mention that I will administer the networks B and C from the A side and prevent clients in B and C to reach clients in A. Up to now, I’ve installed at the raspberries (in B and C) an openVPN server and reach them via openVPN client (on a regular PC) from A. In your second option I have to change them from server into clients, right? Am I right, I would think, that your first option with the net-2-net connection would be easier to realize.
it takes a little bit until I’ve finished my configuration. But it seems you and maybe other readers too, are interested in a howto. So I’m not the creator so I’m following the the step-by-step from the IT-Kitchen blog (Thanks to Peter Stanke). If you want, you can take a quick overview and please give a feetback, if there is something wrong explained or what could be done better.
OK, am not really sure why he converts the PKCS#12 file to PEM since N2N do not uses a password protection for the *.p12. You can do this but it is another step which you probably won´t need since the OpenSSL lib in an RasbPi should be able to handle PKCS#12…
Another point which i currently do not understand why he not uses the lowered privileges (–user and --group), without this entries the process runs as root, this option is useful to protect the system!
The debugging option are a good start to set up the connection but i missed somehow the draw back (enable the daemon/writePID again) but may this was thought to be evident for others ? Not sure about that…
Thanks a lot for your comments and I agree with your concern. So I would suggest to finish “his way” and get it running. After that, I will try to fix your points. It’s just a PoC-system so I have no problem with reset it and starting at point 0 in another way.
By the way, I found a thead in the old ipfire forum, where you discussed the same howto with somebody else long time ago.