Results 1 to 3 of 3
  1. #1
    Untanglit
    Join Date
    Sep 2014
    Posts
    24

    Default OVPN on bridged UNT-15 behind another FW

    Greetings all, I'd appreciate some input. Client's edge device is a 3rd party, custom IDS/IPS/FW product that the 3rd party manages under contract. It's locked down really tight and is monitored 24/7 as a paid service. After that is an Untangle box, v15, setup in bridged mode, no NAT. We do this for more granular capabilities for egress like SSL capable web filtering etc. Plus, auditors/examiners really like it.

    This setup has been used for years without issue. There's some static rules in the edge that let me get in from my remote static IP but that's all the remote access allowed. I can have the edge rules modified but I have no direct config access. The client is now wanting to allow some OpenVPN connections.

    Public IP > 3p edge FW 192.168.1.254 > UNT Bridged 192.168.1.253 > LAN.

    UNT > Network > Hostname is "Use Hostname". External DNS pointer resolves this hostname to public IP. Internal DNS resolves it to internal IP.

    I've had the 3p edge forward public IP:1194 to 192.168.1.253. But I can't get the clients connected. I've setup UNT OPVN when UNT is the edge several times before without issue, but never as a bridged UNT behind another FW.

    What am I missing? I have an email in to them to see if they are forwarding UDP but while I await that response, I tried TCP on the UNT server and client with no luck.

    TIA

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    I do this, with a 4G LTE modem/router. But I have configuration control over the edge router.
    It just works.

    And TCP isn't supported by Untangle's implementation of OpenVPN. So scratch that idea.
    But there is an NGFW access rule at config/network/advanced/access_rules towards the bottom that needs to be enabled.

    The 3P router might have egress rules that need to be opened up?
    And make sure the vendor provides global access to UDP port 1194, not just admin IP addresses.

  3. #3
    Untanglit
    Join Date
    Sep 2014
    Posts
    24

    Default

    Thanks for the reply Jim and apologies for the delayed response. I had 3p verify they were forwarding UDP as mentioned in the OP and sure enough that was it. Once they switched it everything worked.
    Jim.Alles likes this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2