With OpenVPN, you can have one router connected to another via a “Net-to-Net” (N2N) connection. This connection is established at startup (generally) and is maintained at all times (as long as both routers are on), connecting both networks over an encrypted connection. This is commonly used to connect branch offices which may be geographically separated.
“Road Warrior” VPN connections are designed to connect a single machine to a network instead of connecting two networks.
In some cases, you would like a Road Warrior connection to have access to a remote network over an N2N. One example would be giving technical support access to a branch office only through a Road Warrior connection to the main office. Tech Support then would only have access to a single network (the home office), but through it, could then access branch offices. N2N networks commonly have the concept of a server and client, but the terms are interchangable below. Below, client is the remote network you want to get to, and server is the network you are connecting through (via a Road Warrior connection).
These steps are for IPFire 2.17R89, but are applicable to any OpenVPN setup.
These instructions assume the following:
|192.168.5.0/24||OpenVPN Subnet of Road Warrior Connections|
|192.168.6.0/24||LAN subnet on client site|
|192.168.7.0/30||Subnet of N2N connection|
|192.168.7.2||IP Address of Server's side of N2N Connection|
Most of the modifications are made on the server. Since the client doesn't know anything about Road Warrior connections on the server, you need to set a static route back so client LAN machines can reply.
For security, we'll deny access to anyone except a small group, “Techs” in this case. Thus, we can allow normal vpn users access to the server's network, but only members of the techs group can access the client site this way. <strong>Note</strong>: standard vpn users can still make an ssh, vnc or rdp connection to a machine in the server lan and, from there, access the remote machines. Additional firewall rules would be required to block this.
On the server, you create a static pool of IP addresses for the tech's, and you assign the tech's to that. When they Road Warrior vpn to the server's network, they have the same capabilities as everyone else but we can add the capability to connect to the remote site also.
1.a.I tells the server OpenVPN to push routes to all Road Warrior clients, allowing them to access the remote site. 1.1.2 then creates the static pool for the techs, and 1.2 assigns them to it.
1.c creates a firewall rule to allow tech's to make this route
At this point, you can generate traffic to the client network, but the client network does not know which route to take to respond. Thus, in 2, we build a static rule.
Note that for safety, you could add an additional firewall rule under 1.3 that specifically forbids non-tech's to access the client network. However, since the client network only knows how to return to the tech's subnet, that is not an issue. However, if you wanted to add this rule, make it the last rule in the firewall with the following parameters.