OpenVPN will not pass GREEN interface

I’ve been working on getting IPFire’s OpenVPN to allow me to access my office network from home. I read several articles about setting up ‘road warrior’ access for Windows 10 using OpenVPN like IPFire Wiki and one from Ionos.

I am able to connect from home and see the GREEN interface address with ping and I can use by web browser to access the IPFire admin pages using the GREEN address. But I cannot see anything else on the GREEN network. Everything I read tells me that I should be a member of the office network once connected from home, but I am not.

Is there a better, more understandable and clear web site I should read that explains how to set this up? Thanks!

EDIT: I was just looking at the client side OpenVPN log and I found this:

Successful ARP Flush on interface [14] {0BCD6FCA-7F36-4069-9D57-4BF2A288420D}
MANAGEMENT: >STATE:1585068976,ASSIGN_IP,,10.22.248.6,,,,
TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
MANAGEMENT: >STATE:1585068981,ADD_ROUTES,,,,,,
C:\WINDOWS\system32\route.exe ADD 10.22.248.1 MASK 255.255.255.255 10.22.248.5
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
C:\WINDOWS\system32\route.exe ADD 192.168.42.0 MASK 255.255.255.0 10.22.248.5
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Initialization Sequence Completed
MANAGEMENT: >STATE:1585068981,CONNECTED,SUCCESS,10.22.248.6,aa.bb.cc.ddd,pppp,192.168.1.6,50946

As I understand what I’ve been reading, I think my Windows client should have a valid route to the GREEN network at this point. I checked /etc/sysctl.conf on the IPFire machine to ensure net.ipv4.forward = 1 (it does)

I think what may be missing is the necessary routing between the private internal network for OpenVPN and the office network. Here’s the routing table from IPFire:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    0      0        0 red0
10.22.248.0     10.22.248.2     255.255.255.0   UG    0      0        0 tun0
10.22.248.2     *               255.255.255.255 UH    0      0        0 tun0
aa.bb.cc.ddd    *               255.255.255.248 U     0      0        0 red0
gateway         *               255.255.255.255 UH    0      0        0 red0
192.168.42.0    *               255.255.255.0   U     0      0        0 green0

I think the route is there, but I’m far from an expert on interpreting routing tables. So, any ideas what I have wrong?

EDIT2: One final note: I find that the Windows client is able to ping the GREEN interface address on the IPFire server, but (using a shell on the IPFire machine) I am unable to ping the connected Windows machines assigned address. Is that normal or a clue?

Does DNS work?

You say you can ping the IPFire machine by IP. Can you ping by its hostname?
There are settings on IPFire->OpenVPN->user->Advanced Client Options that allow you to redirect the gateway (should be enabled) and make sure GREEN is highlighted under “Client has access to these networks on IPFire’s site”. You may also want to add the IPFIre network’s DNS servers under DNS1 and DNS2.

Pinging by the host name works even when I am not connected with OpenVPN, because the host name is what is published in our DNS – it pings the RED interface. I do not know how to have two host names, so that’s all I can do for that.

The documentation I was following said that the redirect option would cause all of the clients internet traffic to pass through OpenVPN and then back out to the internet. I would prefer for just gain access to the office network, which the documentation says I can do without the redirect feature enabled. Is it wrong, poorly written and/or am I just really, really confused?

Lastly, I would like to try the settings anyway, but right now I am outside the office and apparently I cannot change any of those settings while the OpenVPN server is running and I cannot access them when it is not. I cannot find any documentation about where to find the appropriate config files on the system or what the settings would like like within them. If I could change the config files by hand, I would try than and then restart the server. I know that blasts my connection away, but I can reconnect (I have already tried the restart, I just cannot find what settings I need to manually add to try what you suggest.)

EDIT: FWIW, I cannot use setup at a root prompt to change DNS because none of those settings exist – despite what I keep finding on the ipfire wiki.

I’m back in the office and I have encountered a problem when trying to make the suggested changes: They refuse to save.

Well, the Redirect Gateway setting was saved, but any time I put anything in the “IPFire has access to…” input field or either of the DNS fields, clicking Save just returns me to the same screen, over and over. If I click Cancel just to get away from the screen and then return, none of the changes (except redirect) are shown, so I believe, not saved.

So I am totally stuck. Sigh.

I think that IPFire/OpenVPN will not do what I need. When my ‘road warrior’ clients connect, I want their computers to become part of the office network as full participating members, each with a valid local IP address. From what I’ve been reading, that requires using OpenVPN in bridge mode but IPFire only uses it in route mode (or something like that.)

If there IS a way to have each client (using host-to-net type connections) to be assigned an address on the network behind OpenVPN with IPFire, it is very unclear to me how this could be done. In fact, I have not found anything that explains how. I have found things that seem to imply it is possible but everything assumes I am expert level (or above) in IPFire, OpenVPN and everything else necessary. I am not.

This is exactly how OpenVPN works in our network. We have a domain controller with Active Directory and users who connect remotely can access all of their file shares, etc. It’s as if they are at work, only slower.

I built an OpenVPN server a few years back without IPFire that used bridged mode to make the road warrior computers visible to the office network. I have never succeeded at doing that using IPFire/OpenVPN, though. I have been unable to find a how-to or step-by-step instructions that can get me there with IPFire/OpenVPN. That’s not to say I haven’t found instructions for IPFire/OpenVPN, only that none of those I have followed have created the circumstances I need once a client is connected.

Out of curiosity, what is the latest version of IPFire? I thought the 2.25 core 142 that I downloaded a couple days ago was current, but I keep finding links to articles about using IPFire 2.9.1 and I even found a mention of a feature I think I could use in IPFire 3.x on the IPFire wiki. Where did all those other versions go or is this a case where 2.25 is actually newer than 2.9 (but still older than 3.x, I would guess)?

I haven’t had any issues with OpenVPN on IPFire. It just worked for me. Maybe you need to delete and create new users to get those other options to stick?

I basically just created users like I mentioned in my previous post, downloaded the config file, installed the community version of openvpn client, copied the config over and it worked.

Is your GREEN network a Workgroup or Domain?

Our GREEN is a workgroup.
I tried creating a new user with the settings and had the same results.
I have found several threads on various forums that talk about having the same issue and the general consensus was that traffic from the OpenVPN network (10.22.248.x for me) to my GREEN network (192.168.42.x) results in responses that cannot be returned because all of the GREEN computers use the real router for the GREEN network for any address outside their network. Perhaps there is some sort of NAT feature that I have managed to avoid using (but I didn’t see anything that looked like one) but that would still leave the OpenVPN clients invisible to things like Windows network browsing. The clients MUST be assigned an address ON the GREEN network. To do that, the GREEN interface must be in bridge mode, which is not the default and other than the name, I can find little information about how that setting impacts OpenVPN.

Sorry. I think I’m ranting. I am very frustrated by docs that appear to say it should work just as you say while it refuses to do so for me. This is even when I VERY carefully follow the instructions for setting it up. BUT those instructions assume that I have a whole lot of knowledge about the process and never explain things the author thought were obvious. Plus, the current WUI doesn’t fully match the instructions at this time, so I am left wondering if I missed something because I cannot set some things because they are just not there.

Sorry. I’m going to give up and install Ubuntu Server and OpenVPN. I have been able to make that combination do what I need before. Hopefully I can do it again.

PS: I have also been trying IPSec and having the same amount of trouble with it - inaccurate/incomplete documentation leading to clients that can only PING other addresses on GREEN, but nothing else. I think it is more frustrating to be so close but with no way in sight to finally achieve the desired results. Sorry to say that, “it just worked for me” really doesn’t help much. I appreciate the sentiment, but… (smile) Thanks for trying.