#StackBounty: #vpn #routing #openvpn Route subnet through a VPN gateway with OpenVPN

Bounty: 50

A small company I work at is getting rid of an office soon and it has fallen onto me to migrate the currently
on-prem-hosted VPN (just a Zyxel Zywall 110 device) into a cloud-based VM. I am not that experienced in networking (backend-dev-turned-ops)
so I would like to validate if the following approach will work.


I have a dedicated VM where I’ve set up OpenVPN Access Server and the basics are working well, people can connect,
all good.

There is one catch though, the current VPN forwards a certain IP range through a "tunnel" into a client’s internal network.
It looks like this:

if addr in '172.30.239.0/25':
    route through gw 194.xxx.xxx.xxx
else:
    route through gw 0.0.0.0

Where the connection from our router to the client’s VPN GW is done via IKEv1 with pre-shared key (judging from the router’s web UI).

Some ascii art depicting the setup below. I am replacing Router with a VM.

            +-----------------+           [     Client infra, this has to stay the same     ]
            | Router          |           194.xxx.xxx.xxx            e.g. 172.30.239.75
            | --------------- |   IKEv1   +-------------+       +-------------------------+
User -----> | 172.30.239.0/25-| --------> | VPN gateway |-----> | Internal network server |
            |     default     |           +-------------+       +-------------------------+
            |        |        |
            +--------+--------+
                     |
                     |
                 internet

The OpenVPN Access Server does not support anything like this by itself (or I haven’t been able to find that config), so I thought I could do it on the VM level.
If I connect the OS to the VPN gateway with something like Strongswan and configure appropriate routing in iptables, could
this work? Would the traffic of users connected to the OpenVPN server going to the 172.30.239.0/25 range get routed
through to the Strongswan’s connection, or is this approach fundamentally wrong? What are my options?

Thanks!


Get this bounty!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.