i had this question in the past but know we get an additional customer and it is getting more important.
Start:
We have a IPFire server with an 192.168.2.0/24 internal network running.
This machine handles the Ovpn road warrior connections with a 10.251.150/24 network.
The server also handles (at the moment) two IPSec net2net connections.
The users in the internal network can connect to the machines in the IPsec networks and the machines in the IPSec networks can connect to the machines in the internal network. The road warriors can also connect to the internal machines.
In the IPsec connection settings i set the local network and the ovpn network addresses separated by comma as local network. On the IPSec router i set the internal and the Ovpn network as remote network.
The Ovpn server pushes the two IPsec networks as additional networks.
On the IPFire server a created two firewall rules:
rule
from: “standard-network - OVPN”
NAT - source-NAT - green Interface IP
to: IPsec-network - one of the remote networks
protocoll: all
rule:
from: IPsec-network - the remote network
NAT - source-NAT - green Interface IP
to: “standard-network - OVPN”
protocol: all
Now i connect as road warrior and check my routes:
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 600 0 0 wlo1
10.234.16.0 10.251.150.5 255.255.255.0 UG 50 0 0 tun0
10.234.72.0 10.251.150.5 255.255.248.0 UG 50 0 0 tun0
10.251.150.1 10.251.150.5 255.255.255.255 UGH 50 0 0 tun0
10.251.150.5 0.0.0.0 255.255.255.255 UH 50 0 0 tun0
192.168.2.0 10.251.150.5 255.255.255.0 UG 50 0 0 tun0
Looks good, all networks known and should be routet over the tun interface.
If i try to connect to a server in the 10.234.72.0/21 network from the road warrior:
ssh: connect to host 10.234.73.21 port 22: Network is unreachable
A traceroute shows this:
traceroute to 10.234.73.21 (10.234.73.21), 30 hops max, 60 byte packets
1 10.251.150.1 (10.251.150.1) 46.993 ms 94.990 ms 94.977 ms
2 10.251.150.1 (10.251.150.1) 94.952 ms !N 94.922 ms !N 94.888 ms !N
→ the OVPN connection is used.
From the internal network the connect is working.
Ideas or do you need additional infos to get an overview what i have done or there my mistake is?
not yet, but I am running precisely the same setup, using OpenVPN for roadwarriors, and IPsec to connect several organisation sites/headquaters to each other.
I will dig deeper into this and get back to you…
Have you added your networks as CUSTOMFORWARD rules to
/etc/sysconfig/firewall.local
? This is a must for this to work, it’s not possible to make it work through the GUI only.
If i understand it right my failure was that i was thinking i have to put a rule over the GUI OR over the local script but i have to do it on both points.
And again thank you → problem solved and learned something
Well no, this is undocumented. The “hub and spoke” only applies to ipsec nets, but that won’t work alone with OpenVPN – if I were to be guessing, because of the multi-IP-hopping of OpenVPN (every client consumes four addresses). I found this solution a few years ago in an old forum post somewhere, I think in the old German forum, and I can no longer find it.
So it was hard for you to guess the solution indeed