Traverse Net-to-Net VPN from Road Warrior

With OpenVPN, you can have one router connected to another via a "Net-to-Net" (N2N) connection. This connection is established at startup (generally) and is maintained at all times (as long as both routers are on), connecting both networks over an encrypted connection. This is commonly used to connect branch offices which may be geographically separated.

"Road Warrior" VPN connections are designed to connect a single machine to a network instead of connecting two networks.

In some cases, you would like a Road Warrior connection to have access to a remote network over an N2N. One example would be giving technical support access to a branch office only through a Road Warrior connection to the main office. Tech Support then would only have access to a single network (the home office), but through it, could then access branch offices.

N2N networks commonly have the concept of a server and client, but the terms are interchangable below. Below, client is the remote network you want to get to, and server is the network you are connecting through (via a Road Warrior connection).

These steps are for IPFire 2.17R89, but are applicable to any OpenVPN setup.

Quick Instructions

These instructions assume the following:
192.168.5.0/24 OpenVPN Subnet of Road Warrior Connections
192.168.6.0/24 LAN subnet on client site
192.168.7.0/30 Subnet of N2N connection
192.168.7.2 IP Address of Server's side of N2N Connection
  • On server firewall
  • Set up Static IP address pools and some default routes. NOTE: OpenVPN must be stopped to do this.
    • Service | OpenVPN
      • Advanced Server Options
      • Add remote subnet to Route push options, 192.168.6.0/24
      • Save
    • Create a static IP address pool
      • Static IP Address Pools button
      • Name: Something you want to call this, like "Techs"
      • Subnet: some unused subnet, 192.168.5.0/24
      • Click Save button
    • Start OpenVPN Server
    • Place vpn client into that pool
    • Edit Client
    • Choose new network
    • Click Save
    • Add firewall rules to allow a connection
    • Firewall | Firewall Rules
      • Add new rule to give tech's access
      • Source = OpenVPN networks, choose static address pool you defined above
      • NAT = unchecked
      • Destination = OpenVPN Net-to-Net, choose the OpenVPN Net-to-net you want access to
      • Protocol = All (or limit to your desires)
      • Accept
    • Apply Changes
  • On client firewall, add a static route back to server
  • Network | Static Routes
  • Add remote route to get back to server.
    • Host IP Address/Network = Road Warrior subnet, 192.168.5.0/24
    • Gateway = IP address of Server's N2N connection, 192.168.7.2
    • This can actually be either side of the connection
      • You can verify the IP address by logging into the server and doing ifconfig

Discussion

Most of the modifications are made on the server. Since the client doesn't know anything about Road Warrior connections on the server, you need to set a static route back so client LAN machines can reply.

For security, we'll deny access to anyone except a small group, "Techs" in this case. Thus, we can allow normal vpn users access to the server's network, but only members of the techs group can access the client site this way.

Note!
Standard vpn users can still make an ssh, vnc or rdp connection to a machine in the server lan and, from there, access the remote machines. Additional firewall rules would be required to block this.

On the server, you create a static pool of IP addresses for the tech's, and you assign the tech's to that. When they Road Warrior vpn to the server's network, they have the same capabilities as everyone else but we can add the capability to connect to the remote site also.

1.a.I tells the server OpenVPN to push routes to all Road Warrior clients, allowing them to access the remote site. 1.1.2 then creates the static pool for the techs, and 1.2 assigns them to it.

1.c creates a firewall rule to allow tech's to make this route

At this point, you can generate traffic to the client network, but the client network does not know which route to take to respond. Thus, in 2, we build a static rule.

Note that for safety, you could add an additional firewall rule under 1.3 that specifically forbids non-tech's to access the client network. However, since the client network only knows how to return to the tech's subnet, that is not an issue. However, if you wanted to add this rule, make it the last rule in the firewall with the following parameters:

  • Source = Standard Networks - OpenVPN
  • NAT = unchecked
  • Destination = Open VPN Net-to-Net
  • Protocol = All
  • Drop
Edit Page ‐ Yes, you can edit!
Last changed by cfusco, March 21, 2022 View Older Revisions