Routing from OpenVPN access server to S2S on-premise

Question

Hi,

I am after some help with Azure to on-premise VPN routing.

Clients connect into the Azure Vnet via a server running OpenVPN access server. Once connected clients can access the subnet 10.1.0.0/24. I have set up a S2S VPN from our on-premise network, 10.0.0.0/24 to the Azure Vnet. I can ping from the on-premise network to the 10.1.0.0/24 and from a VM in Azure to our on-premise network.

What i do not know is how to connect via the OpenVPN to the on-premise network.

Any help would be most welcome.

Answer 1

I was working on setup similar connection ( one difference is I am using Azure virtual network gateway instead of OpenVPN Access server, it allow client to connect with P2S OpenVPN protocol, and connect to on-premises with S2S IPSec VPN ).

I found this document https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

but it's misleading. It mentioned BGP is required, but my test shows static route can do the job just fine.

I guess what you need is like :

client machine (192.168.222.2/24) <- P2S OpenVPN connection -> VNet (172.16.0.0/16) &Open VPN Access server <- Site2Site VPN -> On-Premises Network (172.31.0.0/16)

It can work as long as you add proper routing. on OpenVPN client configuration, you need to add something into the configuration file like:
<VpnClientAddressPool>192.168.222.0/24</VpnClientAddressPool>
<Routes>172.16.0.0/16,172.31.0.0/16</Routes>

This tells the OpenVPN client to route traffic for 172.31.0.0 to OpenVPN server. OpenVPN Server already know where to route 172.31.0.0 ( to On-premises ).

For the IPSec VPN between Open VPN Access server and OnPremises VPN server, you need to add into OnPremises VPN server:

IPSec remote network: 172.16.0.0/16 , 192.168.222.0/24 , this tells OnPrem server to route traffic for VPN client to OpenVPN Access Server. Firewall policy might need to be setup to allow in/out traffic for 192.168.222.0/24 on On-premises VPN server as well.