Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    Mar 2020
    Posts
    3

    Default Site to site behind firewall help.

    I am looking for some guidance on the best way to force all of our site to site traffic through our firewall. We have an untangle box with openvpn running in server mode in our data center. I have three other remote sites that are using untangle/openvpn client mode to connect. The server side has an internal interface and an external that seem to go straight out to the internet bypassing the firewall. I have been reading about possibly using bridge mode, but I am having a hard time making sense of the proper configuration. Should I bridge the internal interface and then add a NAT in the firewall, or the other way around? I would like to add that I am not the person who set all of this up originally and I was handed this assignment and told to figure it out. I have a good understanding of networking, but I am not the best when it comes to routing for VPN traffic.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,186

    Default

    Ahh... well you're in for some fun!

    Ok, so Untangle in bridge mode in a datacenter with branch offices wanting to go through it. You sir, like to do things the hard way! You'd have substantially less trouble if Untangle was the router in the DC, but it isn't... so here we go.

    So I presume you've already forwarded UDP 1194 from the DC's publicly facing interface to Untangle as well as whatever you're using for your HTTPs external administration so you have full control of Untangle.

    Next, log into that DC Untangle, and hit up config -> network -> hostname. Make sure you're using the hostname, and that hostname resolves to the proper public address that forwards to Untangle OR, set that to use manually specified address and stuff in either a working DNS name or IP address that ultimately is doing the lifting. This change ensures Untangle's OpenVPN configurations are being generated with good details. So whatever you do make sure that box has something in it that points at Untnagle. If you can't draw a map from the internet to an address, to a UDP 1194 port forward... this is busted... chase this down. You can't muck this up.

    Now, onto the step everyone misses... on the DC Untangle, OpenVPN settings, server tab... Make note of that address space IP range! Once you have it, get into the router that has the actual public IP address on it, and make a static route for traffic destined to that IP range, and set the gateway to Untangle's external IP address. OpenVPN is ROUTED in Untangle, not bridged. So you're going to have to push packets into it, otherwise your DC network won't have a clue where that IP range is.

    Once all that's done, you should have the ability to generate a road warrior VPN, connect, and assuming you set it to full tunnel, you'll see your Internet IP change.

    Once all of that is working, you can start generating remote clients for your branch office Untangle installs, and you'll import those configurations into the TUNNEL VPN app, NOT OPENVPN! Tunnel VPN is for full site-to-site tunnels, OpenVPN does site-to-site SPLIT tunnels. Once TunnelVPN is online at all of the branches, you'll have centralized filtration based on the DC Untangle.

    There is a far easier way to do this if you're willing to redesign how the DC connects to the Internet. But to dig into that I'd need some specifics of what that network looks like, a map some IP addresses an the like.
    Last edited by sky-knight; 03-24-2020 at 11:06 AM.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Mar 2020
    Posts
    3

    Default

    Thanks for the quick reply. I don't see anyway that we would use the untangle box as our router. We are using exos and have a full ring setup, so replacing our core router would not be possible. I need a little time to read through what you sent and process.

    I will say that we are using openvpn on an untangle box at each site, not tunnelvpn and we do not have client machines connecting individually. Each site uses the untangle box as a router except for the data center.

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,712

    Default

    Although this is the SDWAN forum, no one has explicitly stated whether they are talking about SD-WAN or NGFW edit:(as two different Untangle products).
    That has me concerned

    I am not familiar enough with SD-WAN to speak to this
    Last edited by Jim.Alles; 03-24-2020 at 08:41 PM.

  5. #5
    Newbie
    Join Date
    Mar 2020
    Posts
    3

    Default

    I may have started this in the wrong forum. I would not say we are using untangle as a ngfw, but I don't know if the setup really qualifies as sdwan either.
    Jim.Alles likes this.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,186

    Default

    You're describing SDWAN as a concept, but Untangle has a product called SDWAN.

    You can perform SDWAN actions with Untangle Next Generation Firewall. So yeah this probably would have been better in the TunnelVPN forum, but who cares. This is SDWAN in action, the product you're using is largely irrelevant.

    The Untangle SDWAN product is simply more cost effective at being a remote office VPN terminator than Untangle NGFW is. But if you already have the latter, that's what you use. Yes, it will work.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2