Routing part of traffic through an IPSec tunnel

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
melkamar
OpenVpn Newbie
Posts: 4
Joined: Mon Mar 01, 2021 10:45 am

Routing part of traffic through an IPSec tunnel

Post by melkamar » Fri May 28, 2021 8:43 am

Hi, I've been pondering my network setup for a while and decided to ask for help. My company has an OpenVPN AS running on an Ubuntu server and also on that server there's an IPSec tunnel towards a remote gateway between subnets 10.0.1.0/24 <--> 172.30.239.0/25.

OpenVPN client IP pool is 10.0.1.0/24 -- same as the local end of the IPSec tunnel.

I want OpenVPN clients to be able to do

Code: Select all

curl 172.30.239.75
and get their traffic routed through the OpenVPN and then IPSec tunnel. All other traffic should just go through OpenVPN and then to the internet.

The IPSec tunnel works correctly, as I am able to execute

Code: Select all

curl 172.30.239.75
from the OpenVPN AS machine, so it seems there is just some routing/policy missing. I have tried configuring this from the OAS web UI, trial-and-erroring all options that came to mind but with no success. Could you advise? Can this configuration be done just by using the UI or do I need some custom OS-level routes/iptables? If the latter, can you please suggest what those should be?

More information about this case is described in this question: https://serverfault.com/questions/10649 ... the-server

Thank you in advance!

melkamar
OpenVpn Newbie
Posts: 4
Joined: Mon Mar 01, 2021 10:45 am

Re: Routing part of traffic through an IPSec tunnel

Post by melkamar » Fri May 28, 2021 9:01 am

Well, I guess I had to give up and write the question in order to then realize what I was doing wrong and get things working.

The solution was simple, go to VPN Settings > Routing, select 'Yes, using routing' and fill in the remote subnet (172.30.239.0/25 in my case). I have only been trying to put in the local end of that tunnel when in fact the remote is the correct option.

Post Reply