OpenVPN access Lan2 thats connected by IPsec

I have two ipFires setup with a IPSEC tunnel between them:
Lan1 ↔ lan2

Everything working well, except, I have OpenVPn on Lan1. It connects fine and I can access everything on Lan1, but, I cannot access anything on LAN2. I have put rules in, I have added DNS, nothing works. Been at this all day… All I want is road warrior to connect to LAN1 through OpenVPn and be able to access Lan2 through the IPsec already setup.

any ideas? thanks for any help!

Welcome to the IPFire Community!

This might help:

Honestly I have no idea if it will help. But it does sound like it might.

no but thanks. Its a routing issue. If I remote desktop to LAN1, from there I can remote to any device on LAN2. This is becasue any device on LAN1 has DNS using the LAN1 router…

Its definitely a routing issue, just can’t figure it out. OpenVPN does not get to route past LAN1, yet I have tried every tpe of adding LAN2 subnet - with no luck…

Hypothesis 1: the problem is on the OpenVPN routing.

OpenVPN Configuration

OpenVPN needs to know that it should route the traffic for LAN2 through the IPsec tunnel. If you go to /Services/OpenVPN/Advanced Server Options, you should see the interface to “push” a route to the clients, where to specify that any traffic destined for LAN2 needs to be routed through the VPN tunnel, by push “route x.x.x.x”, where x.x.x.x` is the IP subnet of LAN2.

In alternative, you could manually add the route to the client configuration. This can be done by adding a line like route x.x.x.x in the client’s OpenVPN configuration file, where x.x.x.x is the IP subnet of LAN2…

If you want all traffic from the VPN clients to be routed through the VPN, you can use the redirect-gateway def1 command in your OpenVPN server configuration file.

Remember to restart your OpenVPN server after making these changes for them to take effect.

Hypothesis 2: The problem in on IPSEC routing.

IPSec Configuration

The IPsec tunnel should also be correctly set up to allow traffic from the OpenVPN subnet. Here are some general steps:

  1. Phase 2 Settings: In the IPsec configuration, there is typically a Phase 2 setting for every subnet you want to connect. If your OpenVPN clients are on a different subnet, you might need to add a new Phase 2 setting for the OpenVPN subnet. This setting should specify that traffic from the OpenVPN subnet should be routed through the IPsec tunnel towards LAN2.

  2. LeftSubnet and RightSubnet: These are options in IPsec’s configuration file (/etc/ipsec.user.conf). leftsubnet and rightsubnet describe the networks that are routed through the tunnel. You should ensure that these subnets include your OpenVPN subnet and LAN2.

  3. Routing: If IPsec and OpenVPN are on different machines, you need to make sure your network routing (possibly defined outside of IPsec settings) is correctly set up to direct traffic from the OpenVPN subnet to the IPsec gateway and vice versa.

After making these changes, you would typically need to restart or reload the IPsec service for the changes to take effect.

1 Like