Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

VPN FQDN/website reroute and remote subnet access

I've created a site-to-site VPN connection from my default-local-LAN (10.10.0.0/24) to default-offsite-LAN(10.0.1.0/24). I used the wizard. I didn't configure a local/remote ID. The connection itself works fine. I made rules which allow all traffic from VPN local-sub to offsite-sub and vice versa.

Now the first problem. I can ping all devices in through the VPN connection but for example I can't access the unifi web portal 10.0.1.5:8443, nor other devices. I also activated sophos web portal access through VPN and i can't reach it (only access checked on offsite)

The other thing i want, is to route a FQDN from offsite to the local WAN connection. I made a rule on offsite that source:LAN net:offsite | target:VPN net:*.example.com
On the local I've source:VPN net:offsite | traget:WAN any
I don't know how to make the correct rule.

General info
The main sophos is directly connected to the internet. The offsite is behind a NAT (I guess it would be only a problem for the general connection)
I also read the documentation. I'm not sure if site-to-site or XFRM is better for what I want.

I considered using the same subnet for my local unifi and offsite but I think the better way is to leave both sides control on their own.

Anyone tips and tricks for me?



Added TAGs
[edited by: Raphael Alganes at 1:56 PM (GMT -8) on 10 Jan 2025]
Parents
  • Here everything i found out so far

    From Offsite to Local
    I can connect/reach to my Unifi webUI, Proxmox UI and TrueNAS UI but not Sophos UI (I tried everything active in the VPN ACL) 

    From Local to Offsite
    When I use the console to initiate a connection I can magically reach the webUI. For unifi controller this command works 'openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1'  (i have no ssh open), for Proxmox its connecting via ssh (the openssl didn't work maybe my fault), openspeedtest and the sophos UI won't work at all.

    openspeedtest over http therefore is no problem at all. It's only somehow SSL traffic.

    Firmware
    Both are on SFOS 21.0.0 GA

  • I am assuming the below topology:

    Machine on Local LAN (M1) <==> Local SFOS <== tunnel ==> Offsite SFOS <==> Machine on offsite LAN (M2)

    I can connect/reach to my Unifi webUI, Proxmox UI and TrueNAS UI but not Sophos UI (I tried everything active in the VPN ACL) 

    For this, I am assuming, you are trying to access Local SFOS UI from M2. Is it on the Local SFOS LAN IP or WAN IP ? If it is WAN IP of Local SFOS, you need to add that IP in the remote subnet configuration of the IPSec tunnel on Offsite SFOS and similarly the local subnet on the Local SFOS IPSec tunnel configuration. If it is LAN IP, then enable the HTTPS on LAN in the admin ACL of Local SFOS.

    When I use the console to initiate a connection I can magically reach the webUI. For unifi controller this command works 'openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1'  (i have no ssh open), for Proxmox its connecting via ssh (the openssl didn't work maybe my fault), openspeedtest and the sophos UI won't work at all.

    This I need to understand a bit more. How are you initiating a web UI connection from the Local SFOS to the Offsite SFOS ? They should be anyways reachable because the tunnel got established only if they are reachable. The unifi command that you are giving is from the machine M1 (in the topology above) ?

  • Yes, local LAN is on 10.10.0.0/24, offsite LAN 10.0.1.0/24, both have the firewall on .1

    It's the LAN IP of the SFOS and i enabled the HTTPS access in the ACL. I even enabled all for testing but i can't connect.
    The first part with the WAN IP i didn't quite understand. For that I would need the enable the HTTPS access on the WAN ACL too?
    But I think it wouldn't work anyways because offsite SFOS is behind an ISP router (double NAT) 

    Sorry, the commands are used on my PC. I see why it was not clear to understand.
    For Unifi I can "force" connection when i ran openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1' in the CLI
    For proxmox I have to connect via ssh to reach the webUI, the openssl cert thing doesn't work

    The SFOS webUI I could never reach.

Reply
  • Yes, local LAN is on 10.10.0.0/24, offsite LAN 10.0.1.0/24, both have the firewall on .1

    It's the LAN IP of the SFOS and i enabled the HTTPS access in the ACL. I even enabled all for testing but i can't connect.
    The first part with the WAN IP i didn't quite understand. For that I would need the enable the HTTPS access on the WAN ACL too?
    But I think it wouldn't work anyways because offsite SFOS is behind an ISP router (double NAT) 

    Sorry, the commands are used on my PC. I see why it was not clear to understand.
    For Unifi I can "force" connection when i ran openssl s_client -connect 10.0.1.10:8443 -servername unifi -verify 1' in the CLI
    For proxmox I have to connect via ssh to reach the webUI, the openssl cert thing doesn't work

    The SFOS webUI I could never reach.

Children
No Data