OpenVPN using a 1:1 NAT

jptferreira

Is it possible to have OPenVPN listening to another public ip address assigned to the WAN? Only have one WAN but 5 statics assigned by my ISP. Have services going through other ips instead of the main ip used for browsing because of PCI Compliance tests from bank. Would like to have OpenVPN to listen and use only to a certain public ip address but cannot find how to assign it.
Can someone help? Thanks

viragomann

If you have your additional WAN IPs added as IP aliases you're able to select each of them in the OpenVPN servers setting at Interface. The OpenVPN server will only listen on the selected IP.

DaddyGo

@jptferreira said in OpenVPN using a 1:1 NAT:

possible to have OPenVPN listening to another public ip address assigned to the WAN

Hi,

Anything is possible as long as they say not anymore not possible...
I would start with these:
https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html
https://docs.netgate.com/pfsense/en/latest/routing/multi-wan-openvpn.html

and
https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos

jptferreira

Thanks to you all! I'll get on it! :)

jptferreira

Due to lack of time I had to postpone but today I've been trying to have openvpn under pfsense to listen to a certain wan ip address. If I used the default gateway used by the network it works great but I can't have that one to have any port open and so I've several other wan ip addresses that I've been using for different service and all good there.. the only issue is with openvpn, if I change the address (yes, I've it as an alias as all the other ones so they are seen as interfaces) during the wizard, it completes, the server starts and I can export the config files correctly and checking those the correct ip is there but no luck with a connection.
If I setup port forwarding and have openvpn running on another machine then all works great but it isn't the desired scenario... can't find a way to use openvpn on pfsense when I select an alias that it is working fine with other services under port forwarding....
Any help would be very much appreciated!

JP

jptferreira

Here is some more info:

Here using the default gateway and works fine:
Jan 11 14:43:08 openvpn 88826 John/192.168.1.242:39344 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled)
Jan 11 14:43:08 openvpn 69422 user 'John' authenticated
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 [John] Peer Connection Initiated with [AF_INET]192.168.1.242:39344
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_TCPNL=1
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_COMP_STUBv2=1
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_COMP_STUB=1
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_LZO=1
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_LZ4v2=1
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_LZ4=1
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_NCP=2
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_PROTO=6
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_PLAT=linux
Jan 11 14:43:08 openvpn 88826 192.168.1.242:39344 peer info: IV_VER=2.5.1

when I create using the wizard or manually to use the alias with another ip address assigned to the same wan it gives the following (with the same exact settings, the only difference is the wan ip):

Jan 11 14:49:37 openvpn 8762 Initialization Sequence Completed
Jan 11 14:49:37 openvpn 8762 UDPv4 link remote: [AF_UNSPEC]
Jan 11 14:49:37 openvpn 8762 UDPv4 link local (bound): [AF_INET]XX.XX.XX.XXX:1194
Jan 11 14:49:37 openvpn 8762 /usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.8.1 255.255.255.0 init
Jan 11 14:49:37 openvpn 8762 /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.0 up
Jan 11 14:49:37 openvpn 8762 TUN/TAP device /dev/tun1 opened
Jan 11 14:49:37 openvpn 8762 TUN/TAP device ovpns1 exists previously, keep at program end
Jan 11 14:49:37 openvpn 8762 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Jan 11 14:49:37 openvpn 8762 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 11 14:49:37 openvpn 8543 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10
Jan 11 14:49:37 openvpn 8543 OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021
Jan 11 14:49:37 openvpn 8543 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Jan 11 14:49:37 openvpn 8543 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Jan 11 14:49:37 openvpn 59957 SIGTERM[hard,] received, process exiting
Jan 11 14:49:37 openvpn 59957 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1621 10.0.8.1 255.255.255.0 init
Jan 11 14:49:35 openvpn 59957 event_wait : Interrupted system call (code=4)

jptferreira

Found the issue... had several 1:1 NAT rules and can't have the openvpn wan ip on it as the 1:1 bypasses it.
All good now.
JP