Internal clients in Green not working over OVPN

Dear all
I did read a lot about similar issues in this forum but so far nothing worked for me.

My situation: OVPN connection works all fine from my mobile to Ipfire and then out in the internet. But I can’t connect to my internal clients in green which are behind another Firewall… I added extra a rule from Tun to Green to log the FW entries. I see there
InputFW Src/Des over UDP and DNS. But it does not work.

My setup:
Basic Router from the Telco with Port Forwarding to IPfire
IPfire as Firewall for IDS and OVPN (red to Basic Router, green to Synology)
Synolgy as DNS router and Client Management and Firewall

My Idea was that the Synology router blocks the DNS request from the IPfire. But even when I basically allow all traffic trough the Synology Firewall it does not work. I can’t ping any host else than IPFire self. On the client config. “Client has access to these networks on IPFire’s site” Green is marked. What is missing? Thanks for any hint or ides provided.

Thanks for any hint/help provided.

Sounds link your IPFire is just being used as a gateway.
Ip knows nothing of other clients.
Would need to add info in ipfire.

Not sure of your setup.
Perhaps a drawing of some sort.

If you have another router behind IPF doing NAT then you’ll need more configuration. Assuming IPF Green and the Synology lan are on different subnets, OpenVPN will need an additional subnet of the Synology LAN adding to it. You will then need a static route in IPF of the Synology LAN via the Synology WAN. The synology firewall would have to be set up to accept everything coming from either the OpenVPN subnets or from the IPF green interface depending on if IPF SNAT’s the incoming OpenVPN traffic (I don’t know this one, but you can try doing both, or you’ll need to examine the IPF firewall rules).

I am now 1 step closer… by unticking the “Redirect-Gateway def1” in the server options a Network scan delivers all related IP adresses. The funny part is I can’t ping them or connect and dns results to time out… How can this be?

All shields down on the Synology Firewall doesn’t change anything. Any additional idea(s)?

Is my understanding of your network correct with the Synology providing NAT?

Using “Redirect-Gateway def1” is a sledgehammer and requests the OpenVPN client to route all traffic through the VPN (although it can be blocked in the client). What you really want is to push a route to your Synology LAN - - Advanced server options. This should avoid the use of a sledgehammer.

Even if you put the shields down in the Synology, if it is performing NAT, you will need a static route in IPF as I mentioned earlier. Without that all packets to the Synology LAN will be redirected out through Red as it has no idea where the Synology LAN is. Any destination it explicitly does not know about through routes, get sent to the IPF WAN.

You can set the dns in the vpn config.
To your dns server.

ok… understood… Will test it and inform you about any progress. thx for the information. I now need to study what that routes feature does.

Kr, Beat