I know this issue has been brought up a lot but I didnt find anything similar enough to my specific issue. So I want to use OpenVPN server on TrueNAS to connect remotely and manage my network, however I have security requirements that seem to be at odds with it. So I have 2 networks currently on my TrueNAS box off separate physical interfaces. An internal network that is 10.10.10.0/24 for my private servers. These are things like backup servers, zoneminder, etc. Then I also have a 10.10.15.0/24 network that is used for external servers. Devices like Plex and my web dev server that is publicly accessible. Then off the core firewall i have my lan user network, wireless etc. For security purposes the 10.10.10.0 network at the 10.10.15.0 network need to communicate through their default gateways on a firewall. I dont want one of the internet exposed boxes becoming compromised and having direct access to my other resources on all ports.
So i setup my OpenVPN and I am able to connect, i pushed all my routes properly but I ran into the common issue that I cant route between subnets. My openvpn client despite having routes to all the networks can only communicate with the 10.10.10.0/24 network where the OpenVPN terminates. If I use the tunable net.inet.ip.forwarding=1 I am able to reach everything just fine, however traffic between subnets on the TrueNAS no longer utilize the default gateway to talk to each other. That means everything on the 10.10.15.0 network has full access to 10.10.10.0 directly without utilizing my firewall.
My understanding is that the default behavior of TrueNAS is to prevent interfaces from being able to route directly to each other, which makes sense. Enabling ip forwarding basically allows the interfaces to communicate directly and puts them into a single view routing table. So this makes sense as to why its needed for OpenVPN as the client IP range basically gets a virtual interface of x.x.x.1 of whatever network you choose. So for example I used 192.168.10.0/24 so the TrueNAS gets 192.168.10.1 as a virtual interfaces for the OpenVPN clients to route traffic to as a default gateway.
Is there anyway I can design this so that I can access my external/lan networks over the OpenVPN without having to enable ip forwarding or should I look into another solution? From a hardware standpoint Ubiquiti Dream Machine Pro -> Trunk Link to -> Juniper Switch -> Access ports on TrueNAS. One solution I started looking into is using a vlan, but I am not sure I can do what I want. Basically I would want to create a Vlan on truenas with no IP address or lay 3 interface that connects via layer 2 to the external vms/jails, thus avoiding adding a layer 3 interfaces for the 10.10.15.0 network and allowing me to enable ip forwarding. But i am not sure if this is possible. So far when I create a vlan with no IP address it breaks all VMs/jails and they are no longer accessible, just the act of creating the vlan with no ip address breaks everything. I understand I could also enable the firewall on TrueNAS, but I dont see that as a valid option. I dont want to have 2 firewalls to manage for my small home network.
So i setup my OpenVPN and I am able to connect, i pushed all my routes properly but I ran into the common issue that I cant route between subnets. My openvpn client despite having routes to all the networks can only communicate with the 10.10.10.0/24 network where the OpenVPN terminates. If I use the tunable net.inet.ip.forwarding=1 I am able to reach everything just fine, however traffic between subnets on the TrueNAS no longer utilize the default gateway to talk to each other. That means everything on the 10.10.15.0 network has full access to 10.10.10.0 directly without utilizing my firewall.
My understanding is that the default behavior of TrueNAS is to prevent interfaces from being able to route directly to each other, which makes sense. Enabling ip forwarding basically allows the interfaces to communicate directly and puts them into a single view routing table. So this makes sense as to why its needed for OpenVPN as the client IP range basically gets a virtual interface of x.x.x.1 of whatever network you choose. So for example I used 192.168.10.0/24 so the TrueNAS gets 192.168.10.1 as a virtual interfaces for the OpenVPN clients to route traffic to as a default gateway.
Is there anyway I can design this so that I can access my external/lan networks over the OpenVPN without having to enable ip forwarding or should I look into another solution? From a hardware standpoint Ubiquiti Dream Machine Pro -> Trunk Link to -> Juniper Switch -> Access ports on TrueNAS. One solution I started looking into is using a vlan, but I am not sure I can do what I want. Basically I would want to create a Vlan on truenas with no IP address or lay 3 interface that connects via layer 2 to the external vms/jails, thus avoiding adding a layer 3 interfaces for the 10.10.15.0 network and allowing me to enable ip forwarding. But i am not sure if this is possible. So far when I create a vlan with no IP address it breaks all VMs/jails and they are no longer accessible, just the act of creating the vlan with no ip address breaks everything. I understand I could also enable the firewall on TrueNAS, but I dont see that as a valid option. I dont want to have 2 firewalls to manage for my small home network.
