Re Route specific destination IP from OpenVPN to Firewall interface

Hi community,

I have an RED/GREEN/ORANGE and OPENVpn.

I cannot figure out how to route traffic from the OpenVPN Network which wants to access Orange to the IPFire Interface since there is letsencrypt running and its certificates with nginx as reverse proxy?

Scenario A How it should work:
1, Client on OpenVPN → Firewall → google.
2, Client on OpenVPN → Firewall → Firewall internal lets encrypt nginx → ORANGE

Scenario B With Setup where there are no rules or routes both are:
1, Client on OpenVPN → Firewall → google.
2, Client on OpenVPN → Firewall → ORANGE (doesn`t work cause needs letsencyrpt certificate)

Scenario C With Setup where there is one static route to Firewall RED interface as gateway:
1, Client on OpenVPN → Firewall → Firewall RED Interface → google
2, Client on OpenVPN → Firewall → Firewall RED Interface → Internet → Firewall RED Interface → ORANGE

Scenario D Using push routes to Firewall RED interface:
Could not get it working at all OpenVPN Client could not apply it.

Scenario E Using NAT:
Could not figure out how to redirect Dest to the Firewall Interface since there is no option for that.

I want to avoid the Scenario C, it does work, but I think its not good to reroute it out even if I avoided an potentially insecure Wifi.

Thank you.

Hi, any ideas or more details needed?

Hi @florom - this is way over my head.

Hopefully someone will step in to help.

Have you read through the various OpenVPN wiki pages?

In your scenario E, let’s assume you have a service group named ‘WEB’ that specifies the TCP protocol for ports 80 and 443. You can configure the firewall as follows:

• Source: OpenVPN network
• NAT: Choose ‘Destination NAT’
• Destination: Select ‘Firewall (all)’
• Protocol: Choose ‘Preset,’ then select the service group ‘WEB’

By setting it this way, the traffic from the OpenVPN network should be destination NATed to the firewall itself. Once it reaches the firewall, NginX should intercept it according to the LetsEncrypt settings. Can you confirm why this setup is not working as expected?

Hi all,

Thanks for the replies.

@jon Yes, I read through it but since I had never setted anything up like that (and won’t do it very often) I am not understanding the details. That’s why I am looking for a hint.

@cfusco Thanks. Unfortunatly I can confirm that this is not working. It is like Secenario B only the other way around. New Scenario F:

Scenario F ( Rule: Source: OpenVPN network, NAT: ‘Destination NAT’ Destination: ‘Firewall (all)’ Protocol: ‘Preset HTTP/HTTPS’)

1, Client on OpenVPN → Firewall → google ( doesn’t work cause letsencyrpt intercepts and due to HSTS no connection possible)
2, Client on OpenVPN → Firewall → ORANGE (works)

I kind of understand this outcome.
I need some way to route destinations differently. Not all web should go to the firewall interface only those which destination would be ORANGE. But still I can experiment a little bit with NginX if there is a rerouting to the internet possible.
The new idea is very much appreciated.

To address this issue, you may need to add a rule preceding the NAT configuration to allow traffic directed to the red interface:

• Source: OpenVPN network
• NAT: None
• Destination: RED
• Protocol: Choose ‘Preset,’ then select the service group ‘WEB’
• Policy: Allow

Please test this configuration and let me know if it resolves your issue. Good luck.

@cfusco Thanks again. Will test that most likely sunday morning and report back.

Hi @cfusco ,

Same as behaviour as Scenario B.
Scenario G ( Rule: Source: OpenVPN network, NAT: None Destination: RED Protocol: ‘Preset HTTP/HTTPS’)
1, Client on OpenVPN → Firewall → google (Works)
2, Client on OpenVPN → Firewall → ORANGE (doesn`t work cause needs letsencyrpt certificate)

Unfortunatly

Is this rule the same one you created before, as shown in the quote below?

No, the NAT is different: First with “None” second is with “Destination NAT”