How to route traffic from OpenVPN to Site-to-Site IPSec (vice-versa) on VyOS

janiisi · November 4, 2022, 1:47pm

Hello, I have two tunnels connected to VyOS router - one is OpenVPN and the second is traditional Site-to-Site IPSec.

(10.24.33.0/24) Network A ---- (OpenVPN) ---- VyOS ---- (VPN/IPSec) ---- Network B (192.168.44.0/24).

Public Internet (eth0, 51.15.17.11) — VyOS — Network C (eth1, 192.168.33.1/24)

I have successfully created tunnels from Network A to VyOS and from Network B to VyOS.

OpenVPN configuration:

    openvpn vtun10 {
        encryption {
            cipher aes256
        }
        local-port 1194
        mode server
        openvpn-option duplicate-cn
        persistent-tunnel
        protocol udp
        server {
            push-route 192.168.33.0/24 {
            }
            push-route 192.168.44.0/24 {
            }
            subnet 10.24.33.0/24
        }
        tls {
            ca-cert-file /config/auth/ovpn/ca.crt
            cert-file /config/auth/ovpn/Server-01.crt
            dh-file /config/auth/ovpn/dh.pem
            key-file /config/auth/ovpn/Server-01.key
        }
        use-lzo-compression
    }

Site-to-Site configuration:

        site-to-site {
            peer 11.12.13.14 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                ike-group SiteSCW-ike
                ikev2-reauth inherit
                local-address 10.68.82.75
                tunnel 0 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group SiteSCW-esp
                    local {
                        prefix 192.168.33.0/24
                    }
                    remote {
                        prefix 192.168.44.0/24
                    }
                }
            }

When I connect to OpenVPN server (51.15.17.11), I’m able to ping/access only devices on 192.168.33.0/24 subnet, but I have to have access to devices on 192.168.44.0/24 network which is on the other end of the Site-to-Site tunnel.

In the same way, I cannot ping OpenVPN device from any device behind 192.168.44.0/24, but in the same time I can easily ping from 192.168.44.0/24 to 192.168.33.0/24.

I’m not sure, why there is no default routing between vtun10 and eth1 interfaces by default? How could I solve the routing issue between tunnels?

Thanks.

Dmitry · November 4, 2022, 2:06pm

Hi @janiisi , do you have any NAT or Firewall rules? Did you try to monitor traffic on each interfaces when you ping from client A a client B?

And additional question, why you push the route 192.168.33.0/24 to you OpenVPN clients, I think this route should be available via allocated client IP or I miss something

janiisi · November 4, 2022, 2:43pm

Hi @Dmitry , no I have nothing in firewall or nat, just make sure they do not interfere. If I remove route 33.0/24 from openvpn server, I cannot ping anything on 192.168.33.0/24 as well.

output from monitor traffic interface vtun10

 vyos@scw-vyos-vpn-test:~$ monitor traffic interface vtun10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtun10, link-type RAW (Raw IP), capture size 262144 bytes
16:42:26.262687 IP 10.24.33.10 > 192.168.44.3: ICMP echo request, id 38784, seq 545, length 64
16:42:27.257008 IP 10.24.33.10 > 192.168.44.3: ICMP echo request, id 38784, seq 546, length 64
16:42:28.270612 IP 10.24.33.10 > 192.168.44.3: ICMP echo request, id 38784, seq 547, length 64
16:42:29.275765 IP 10.24.33.10 > 192.168.44.3: ICMP echo request, id 38784, seq 548, length 64
16:42:30.272989 IP 10.24.33.10 > 192.168.44.3: ICMP echo request, id 38784, seq 549, length 64
16:42:31.284144 IP 10.24.33.10 > 192.168.44.3: ICMP echo request, id 38784, seq 550, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
vyos@scw-vyos-vpn-test:~$ monitor traffic interface vtun10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtun10, link-type RAW (Raw IP), capture size 262144 bytes
16:42:45.297349 IP 10.24.33.10 > 192.168.33.10: ICMP echo request, id 14209, seq 4, length 64
16:42:45.298447 IP 192.168.33.10 > 10.24.33.10: ICMP echo reply, id 14209, seq 4, length 64
16:42:46.299210 IP 10.24.33.10 > 192.168.33.10: ICMP echo request, id 14209, seq 5, length 64
16:42:46.300289 IP 192.168.33.10 > 10.24.33.10: ICMP echo reply, id 14209, seq 5, length 64
16:42:47.303477 IP 10.24.33.10 > 192.168.33.10: ICMP echo request, id 14209, seq 6, length 64
16:42:47.304807 IP 192.168.33.10 > 10.24.33.10: ICMP echo reply, id 14209, seq 6, length 64
16:42:48.303688 IP 10.24.33.10 > 192.168.33.10: ICMP echo request, id 14209, seq 7, length 64
16:42:48.305923 IP 192.168.33.10 > 10.24.33.10: ICMP echo reply, id 14209, seq 7, length 64
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

zsdc · November 4, 2022, 3:08pm

It is not so simple.

IPSec traffic selectors will not allow passing any traffic except negotiated, therefore only traffic between 192.168.33.0/24 and 192.168.44.0/24 can pass through the site-to-site connection.

To make your life easier, I would recommend using VTI (on both sides of the IPSec) if possible - in this case, everything will work as with a regular interface (OpenVPN, etc.).

If VTI is not possible, you need to add more networks to your local traffic selector - increase a network range or add more tunnels.

Also, as a workaround, a NAT for traffic from/to 192.168.44.0/24 can be configured.

janiisi · November 6, 2022, 12:09pm

Hi, @zsdc ! Thanks for comprehensive explanation. I don’t have option with VTI setup no Site-to-Site VPN, provider only have traditional VPN IPSec.

I was able to configure SNAT, so I can now access resources on the other side of VPN from OpenVPN.

# show interfaces
 dummy dum0 {
     address 172.29.41.89/32
     description "dummy for ipsec"
 }

# show vpn ipsec site-to-site peer 11.12.13.14 tunnel 0
 esp-group SiteSCW-esp
 local {
     prefix 172.29.41.89/32
 }
 remote {
     prefix 192.168.44.0/24
 }

# show nat
 source {
     rule 10 {
         destination {
             address 192.168.44.0/24
         }
         outbound-interface any
         source {
             address 10.24.33.0/24
         }
         translation {
             address 172.29.41.89
         }
     }
 }

Found some help here on official VyOS documentation:
https://docs.vyos.io/en/equuleus/configuration/nat/index.html

Thanks!

janiisi · November 7, 2022, 10:22am

Any ideas on how to configure DNAT? I have tried this config, but I doesn’t work.

# show nat destination
 rule 10 {
     destination {
         address 172.29.41.89/32
     }
     inbound-interface any
     source {
         address 192.168.44.0/24
     }
     translation {
         address 10.24.33.0/24
     }
 }

n.fort · November 7, 2022, 12:23pm

With snat it should be enough to establish connections from your site to remote site.
If connections are initiated in remote site, then similar snat should be done over there.

janiisi · November 8, 2022, 11:58am

Hi, @n.fort Thanks, I got the idea!

system · November 10, 2022, 11:59am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.