I cannot figure out how to route traffic from the OpenVPN Network which wants to access Orange to the IPFire Interface since there is letsencrypt running and its certificates with nginx as reverse proxy?
Scenario A How it should work:
1, Client on OpenVPN → Firewall → google.
2, Client on OpenVPN → Firewall → Firewall internal lets encrypt nginx → ORANGE
Scenario B With Setup where there are no rules or routes both are:
1, Client on OpenVPN → Firewall → google.
2, Client on OpenVPN → Firewall → ORANGE (doesn`t work cause needs letsencyrpt certificate)
Scenario C With Setup where there is one static route to Firewall RED interface as gateway:
1, Client on OpenVPN → Firewall → Firewall RED Interface → google
2, Client on OpenVPN → Firewall → Firewall RED Interface → Internet → Firewall RED Interface → ORANGE
Scenario D Using push routes to Firewall RED interface:
Could not get it working at all OpenVPN Client could not apply it.
Scenario E Using NAT:
Could not figure out how to redirect Dest to the Firewall Interface since there is no option for that.
I want to avoid the Scenario C, it does work, but I think its not good to reroute it out even if I avoided an potentially insecure Wifi.
In your scenario E, let’s assume you have a service group named ‘WEB’ that specifies the TCP protocol for ports 80 and 443. You can configure the firewall as follows:
Source: OpenVPN network
NAT: Choose ‘Destination NAT’
Destination: Select ‘Firewall (all)’
Protocol: Choose ‘Preset,’ then select the service group ‘WEB’
By setting it this way, the traffic from the OpenVPN network should be destination NATed to the firewall itself. Once it reaches the firewall, NginX should intercept it according to the LetsEncrypt settings. Can you confirm why this setup is not working as expected?
@jon Yes, I read through it but since I had never setted anything up like that (and won’t do it very often) I am not understanding the details. That’s why I am looking for a hint.
@cfusco Thanks. Unfortunatly I can confirm that this is not working. It is like Secenario B only the other way around. New Scenario F:
1, Client on OpenVPN → Firewall → google ( doesn’t work cause letsencyrpt intercepts and due to HSTS no connection possible)
2, Client on OpenVPN → Firewall → ORANGE (works)
I kind of understand this outcome.
I need some way to route destinations differently. Not all web should go to the firewall interface only those which destination would be ORANGE. But still I can experiment a little bit with NginX if there is a rerouting to the internet possible.
The new idea is very much appreciated.
Same as behaviour as Scenario B.
Scenario G ( Rule: Source: OpenVPN network, NAT: None Destination: RED Protocol: ‘Preset HTTP/HTTPS’)
1, Client on OpenVPN → Firewall → google (Works)
2, Client on OpenVPN → Firewall → ORANGE (doesn`t work cause needs letsencyrpt certificate)