Net2Net Routing Question

General questions.
Post Reply
Longun
Posts: 9
Joined: January 6th, 2012, 12:08 am

Net2Net Routing Question

Post by Longun » December 7th, 2017, 9:22 am

Hi All,

I've got two IPfire's setup in two sites. One at home and one in my office. I'm using them to learn and play. What I want to do though is ensure all traffic at work is routed back over the Net2Net VPN and out to the internet via my Internet connection and not break out locally at work, which is how its working by default.

I've tried adding a 0.0.0.0 route to the IPfire at work to send all traffic down the VPN but it doesn't like a 0.0.0.0.

Is this a possible setup and whats the best way to get the routing setup.

Quick overview of GW setup

IPF1 Home
10.10.10.1

IPF1 VPN
172.16.1.1

IPF2 VPN
172.16.1.2

IPF2 Work
10.20.20.1

ummeegge
Community Developer
Community Developer
Posts: 4454
Joined: October 9th, 2010, 10:00 am

Re: Net2Net Routing Question

Post by ummeegge » December 7th, 2017, 1:23 pm

Hi Longun,
did you use OpenVPN and if so, did you tried "--redirect-gateway" instead ? This option do not exist in the N2N WUI but you can write it into the configuration after imported/generated.

Greetings,

UE
Image
Image
Image

Longun
Posts: 9
Joined: January 6th, 2012, 12:08 am

Re: Net2Net Routing Question

Post by Longun » December 7th, 2017, 1:40 pm

Hi UE,

I've not used the --redirect gateway as I assumed that was for a device to firewall connection rather than net2net firewall to firewall connection. It is in the global configuration. I'll try turning it on, or is it a case of editing the configuration files manually to enable the option for net2net?

Thanks

Joe.

ummeegge
Community Developer
Community Developer
Posts: 4454
Joined: October 9th, 2010, 10:00 am

Re: Net2Net Routing Question

Post by ummeegge » December 7th, 2017, 2:16 pm

Hi Joe,
your welcome.
Longun wrote:
December 7th, 2017, 1:40 pm
as I assumed that was for a device to firewall connection rather than net2net firewall to firewall connection
am currently not sure what does that mean in correlation to your statement before -->
Longun wrote:
December 7th, 2017, 9:22 am
What I want to do though is ensure all traffic at work is routed back over the Net2Net VPN and out to the internet via my Internet connection and not break out locally at work, which is how its working by default.
If you want that "all traffic at work" is routed via your Internet connection <--(i assume at home) i am currently not sure what do you mean with "a device to firewall connection" ?
Longun wrote:
December 7th, 2017, 1:40 pm
or is it a case of editing the configuration files manually to enable the option for net2net?
yes it is. The N2N configuration files differs to the server.conf (Roadwarrior only) since this are different instances. You need to adapt N2N configs manually under /var/ipfire/ovpn/n2n/{connectionname}/{connectionname.conf} and restart the N2N instance after modification.

Greetings,

UE
Image
Image
Image

Longun
Posts: 9
Joined: January 6th, 2012, 12:08 am

Re: Net2Net Routing Question

Post by Longun » December 7th, 2017, 3:15 pm

ummeegge wrote:
December 7th, 2017, 2:16 pm
Hi Joe,
your welcome.
Longun wrote:
December 7th, 2017, 1:40 pm
as I assumed that was for a device to firewall connection rather than net2net firewall to firewall connection
am currently not sure what does that mean in correlation to your statement before -->
Longun wrote:
December 7th, 2017, 9:22 am
What I want to do though is ensure all traffic at work is routed back over the Net2Net VPN and out to the internet via my Internet connection and not break out locally at work, which is how its working by default.
If you want that "all traffic at work" is routed via your Internet connection <--(i assume at home) i am currently not sure what do you mean with "a device to firewall connection" ?
Sorry by Device to Firewall I mean OpenVPN Road Warrior, which I'm not using. I'm using OpenVPN Net to Net. Bad explanation on my part.
ummeegge wrote:
December 7th, 2017, 2:16 pm
Longun wrote:
December 7th, 2017, 1:40 pm
or is it a case of editing the configuration files manually to enable the option for net2net?
yes it is. The N2N configuration files differs to the server.conf (Roadwarrior only) since this are different instances. You need to adapt N2N configs manually under /var/ipfire/ovpn/n2n/{connectionname}/{connectionname.conf} and restart the N2N instance after modification.

Greetings,

UE
Thanks for the info on the configuration file.

This is how mine currently looks. Can you advise what I need to add/edit to get it working?

Thanks again for your assistance.

Server Configuration

# IPFire n2n Open VPN Server Config by ummeegge und m.a.d

# User Security
user nobody
group nobody
persist-tun
persist-key
script-security 2
# IP/DNS for remote Server Gateway
float
# IP adresses of the VPN Subnet
ifconfig 172.16.1.1 172.16.1.2
# Client Gateway Network
route 10.20.20.0 255.255.255.0
up "/etc/init.d/static-routes start"
# tun Device
dev tun
#Logfile for statistics
status-version 1
status /var/run/openvpn/NET2NET-n2n 10
# Port and Protokol
port 3434
proto udp
# Paketsize
tun-mtu 1500
fragment 1300
mssfix
# Auth. Server
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
# Cipher
cipher AES-256-CBC
# HMAC algorithm
auth SHA512
# Debug Level
verb 3
# Tunnel check
keepalive 10 60
# Start as daemon
daemon NET2NETn2n
writepid /var/run/NET2NETn2n.pid
# Activate Management Interface and Port
management localhost 3434

Client Configuration

# IPFire n2n Open VPN Client Config by ummeegge und m.a.d
#
# User Security
user nobody
group nobody
persist-tun
persist-key
script-security 2
# IP/DNS for remote Server Gateway
remote joseph-baldwin.co.uk
float
# IP adresses of the VPN Subnet
ifconfig 172.16.1.2 172.16.1.1
# Server Gateway Network
route 10.10.10.0 255.255.255.0
# tun Device
dev tun
#Logfile for statistics
status-version 1
status /var/run/openvpn/-n2n 10
# Port and Protokoll
port 3434
proto udp
# Paketsize
tun-mtu 1500
fragment 1300
mssfix
ns-cert-type server
# Auth. Client
tls-client
# Cipher
cipher AES-256-CBC
pkcs12 /var/ipfire/ovpn/certs/NET2NET.p12
# HMAC algorithm
auth SHA512
# Debug Level
verb 3
# Tunnel check
keepalive 10 60
# Start as daemon
daemon NET2NETn2n
writepid /var/run/NET2NETn2n.pid
# Activate Management Interface and Port
management localhost 3434
# remsub 10.20.20.0/255.255.255.0
# Logfile
status-version 1
status /var/run/openvpn/NET2NET-n2n 10

User avatar
trymes
Posts: 649
Joined: February 9th, 2011, 4:10 pm
Location: New England, USA

Re: Net2Net Routing Question

Post by trymes » December 7th, 2017, 4:18 pm

I'd be using IPSec for this, but OpenVPN ought to work, too.

Set the default gateway for the devices behind IPFire at work to be the router at your home. That way it will send outbound traffic over the VPN tunnel to reach that gateway. You may need to enable the home IPFire's firewall to permit that traffic out.

Longun
Posts: 9
Joined: January 6th, 2012, 12:08 am

Re: Net2Net Routing Question

Post by Longun » December 7th, 2017, 7:48 pm

trymes wrote:
December 7th, 2017, 4:18 pm
I'd be using IPSec for this, but OpenVPN ought to work, too.

Set the default gateway for the devices behind IPFire at work to be the router at your home. That way it will send outbound traffic over the VPN tunnel to reach that gateway. You may need to enable the home IPFire's firewall to permit that traffic out.
Thanks for the info. I did consider this but I'd have to stretch my vlan over the WAN and that'd mean broadcast traffic over the VPN which I'd rather avoid as bandwidth is limited. It should fit my needs though.

I'll take a look at IPsec though as I'd not thought of using that.

ummeegge
Community Developer
Community Developer
Posts: 4454
Joined: October 9th, 2010, 10:00 am

Re: Net2Net Routing Question

Post by ummeegge » December 10th, 2017, 7:34 pm

Hi all,
Longun wrote:
December 7th, 2017, 3:15 pm
Can you advise what I need to add/edit to get it working?
you can find in here --> viewtopic.php?t=14204 an example snip of the config changes. This topic is in german but the config changes should be readable, if you need nevertheless something to be translated, let it me know.

Greetings,

UE
Image
Image
Image

Longun
Posts: 9
Joined: January 6th, 2012, 12:08 am

Re: Net2Net Routing Question

Post by Longun » December 12th, 2017, 10:02 am

ummeegge wrote:
December 10th, 2017, 7:34 pm
Hi all,
Longun wrote:
December 7th, 2017, 3:15 pm
Can you advise what I need to add/edit to get it working?
you can find in here --> viewtopic.php?t=14204 an example snip of the config changes. This topic is in german but the config changes should be readable, if you need nevertheless something to be translated, let it me know.

Greetings,

UE
Hi UE,

Perfect. Does exactly what I needed. Many thanks for all the assistance :D

ummeegge
Community Developer
Community Developer
Posts: 4454
Joined: October 9th, 2010, 10:00 am

Re: Net2Net Routing Question

Post by ummeegge » December 13th, 2017, 4:50 pm

Your welcome,
good to here that everything works as expected :) .

Greetings,

UE
Image
Image
Image

Longun
Posts: 9
Joined: January 6th, 2012, 12:08 am

Re: Net2Net Routing Question

Post by Longun » December 14th, 2017, 8:37 pm

trymes wrote:
December 7th, 2017, 4:18 pm
I'd be using IPSec for this, but OpenVPN ought to work, too.

Set the default gateway for the devices behind IPFire at work to be the router at your home. That way it will send outbound traffic over the VPN tunnel to reach that gateway. You may need to enable the home IPFire's firewall to permit that traffic out.
As a test I shutdown openvpn and setup a IPSec. Quick and easy setup. Same question as before as I'm using all this to learn. How can I get site B to route all its traffic over the IPsec tunnel?

I've set the remote site to 0.0.0.0/0 to try and force everything over the link but it doesn't seem to work. Any other thoughts.

Thanks :D

User avatar
trymes
Posts: 649
Joined: February 9th, 2011, 4:10 pm
Location: New England, USA

Re: Net2Net Routing Question

Post by trymes » December 14th, 2017, 8:39 pm

Did you set the gateway address to be the gateway on the far side of the tunnel?

Tom

Longun
Posts: 9
Joined: January 6th, 2012, 12:08 am

Re: Net2Net Routing Question

Post by Longun » December 15th, 2017, 8:18 am

Not at the moment. Currently they are still on separate network segments. I got OpenVPN to work perfect so this is just a curiousity.

Currently Site A (Home) and Site B (Work) are connected with IP sec but the only thing site A can see is the IPFIre at Site B, so the VPN is up and working. So I'm thinking the routing above it working but I've got to sort the firewall rules to allow traffic.

User avatar
trymes
Posts: 649
Joined: February 9th, 2011, 4:10 pm
Location: New England, USA

Re: Net2Net Routing Question

Post by trymes » December 15th, 2017, 2:56 pm

Unless you do something to limit it, the firewall does not block any traffic across an IPSec tunnel. However, only traffic that meets the traffic selectors defined in the tunnel setup (remote and local subnets) will be routed across the tunnel. If the PC you're trying to send traffic from is using the local IPFire as its gateway, it will continue to send outbound traffic through that host.

Seeing as this is a non-standard config for IPFire, you're probably best reviewing the StrongSwan docs to find an example of how to achieve this.

Tom

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests