Access a Windows Remote Desktop that is behind a pfSense OpenVPN Client?
-
Hi guys!
I have 2 computers on my pfSense LAN that are both Windows. I have them configured with different Remote Desktop (RDP) ports. As it is right now, I can connect to each computer while away from home with no problem. However, I recently subscribed to IPVanish and setup OpenVPN on the pfSense router to access it as a client. This has opened up a whole new can of worms I'm slowly figuring out. I've hit a snag though and can't figure out how to tell pfSense to allow traffic on those ports to bypass the VPN and come straight in. I have a dynamic DNS client running so I can know what my home IP address is at any given time. But when I connect to that address, it DOESN'T connect, if that makes sense. I suspect it's because of the VPN.
Is there a way (or no way) to expose a port to the internet that would be bypassing the VPN?
Thanks for any response. This is my summer project this year. Loving all the new stuff I'm learning, and this great software!
-Aaron
EDIT:
I guess I was wrong. Since I've been having so much trouble, I decided to turn off the VPN client and see if I can still connect to my computer with a remote connection. Seems like that's no longer working. Gonna have to go back and work on this some more. :(
EDIT 2: Maybe I was just impatient... Disconnected my wifi, connected my tablet to my cellphone using personal hotspot (cell wifi off too) and it connected albeit slower than I'm used to elsewhere.. but it worked. So remote access is working. Just not through VPN again.
-
I give up. When I use an open port checking website, put in the DDNS address for my network, and the port I'm using for RDP, it says it's closed. And yet, if I try to connect over cell with wifi off, it CONNECTS. I'm so confused. I guess I don't need any help after all? LOL networking makes my brain crack.
-
@hansolo77 You shouldn't use an open port for RDP in the first place... Use your own VPN for that.
-
@bob-dig I agree. It would be more secure. But I don't know how to do that. I'm very low/entry level here. Can I even use a VPN service (IPVanish) if I create my own VPN server on pfSense too? I can't even comprehend how do that. :)
-
@hansolo77 sure you can, one is a vpn server the other is a vpn client. You could have multiples of both actually.
-
@hansolo77 So you have to read the docs and learn stuff or maybe pfSense is not the right solution for you but it is absolut possible to do that.
-
I'm definitely willing to learn. When I say I give up, that's just me being tired after a long day and not understanding why it worked when it wasn't before. :) I've definitely got some reading to do.
-
@hansolo77 Policy-based routing (PBR) is what you need to learn to do in pfSense and once that is understood, you should be able to achieve your goal.
-
This post is deleted! -
Here's what I've tried so far, that doesn't work lol...
Remote Access without a VPN works. I can test it by switching my tablet to connect to my cell phone's personal hot spot when it's in CELL mode.
I followed a couple of YouTube videos that explained the process of setting up a VPN server to allow remote access. I created the keys and user, and created a generic default server. On my tablet, I can run the OpenVPN Connect app and can connect to the VPN server while sitting on the same LAN. However, when I go to the CELL mode with hotspot, it's not able to connect. According to the logs, it's trying to connect to the VPN via an IP address I didn't set in the server. It wants to use 192.168.0.50, which is the IP address of the pfSense device from the modem (even though I have pfSense set to use 10.27.x.x.). So that's not going to help. Sure, I can securely connect to the VPN while at home, but the point is to allow REMOTE access. I'm not sure what's wrong here.
I tried changing the setting in the Client Export
Host Name Resolutionto be that of the ddns service that it's lists, rather than the default "Interface IP Address That didn't help. I also tried changing the server setting under "Tunnel Settings" -IPv4 Local network(s)to be the specific IP Address /32 of the computer I want access to. That doesn't help either.I'm lost. Any pointers?
-
@hansolo77 said in Access a Windows Remote Desktop that is behind a pfSense OpenVPN Client?:
It wants to use 192.168.0.50,
Well yeah that would never work from the internet. When you export the config for your vpn connection..
Does your pfsense have a public WAN address? Or is it behind a nat. If you setup to use the wan interface, and you export it would have that interfaces IP
If your behind a nat, and pfsense wan IP is rfc1918, you would need to use other or ddns address that points to your public IP, and you have forwarded to pfsense wan address on the device in front of pfsense.
-
@johnpoz The pfSense router is definitely not with a public WAN. My modem is, which is one of those combination modem/router/switch/wifi/telephone devices (hence I wanted to go with a new pfSense router). To keep things as simple as possible, I have the modem configured with 192.168.0.50 as a reserved IP for the pfSense, and on the modem that is set up as DMZ with no firewalls. On the pfSense, it's WAN IP is that 192.168.0.50, but the internal IP to access that is of the 10.27.xx.xx range.
I currently use the free NO-IP ddns, and have my address as "blankblank".ddns.net. The Dynanic DNS service on pfSense is properly identifying the modem's IP address from the ISP.
Currently, my tablet has 2 entries for RDP. One is for direct access when I'm at home. It uses the IP address I've statically assigned, with the port I've configured. The other RDP entry is for when I'm remote. It uses the address as "blankblank.ddns.net:rdp-port". After spending a few days messing around with NAT and port forwarding, outbound, etc. I've got that much working. I can connect to the computer remotely and locally, with IPVanish VPN client running.
Now when doing my own VPN server, it seems to just want to connect to the IP address the modem is giving the router, not the dynamic DNS. If understand correctly, the idea is get to a point where I can remove the RDP port from the firewall rules in pfSense, and just use my 1 entry for RDP as if I was local. Problem is, I can't get the OpenVPN client to connect to the server.
I did try editing the .opvn client file and change the
remoteIP address from that 192.168.0.50 to justblankblank.ddns.netbut it still didn't work. I'm going to try resetting stuff back to before I started messing with my own OpenVPN server and see if I can make it work from scratch again. I watched a bunch of videos and something might have been messed up somewhere along the way. I really like that backup/restore option. Make one part work and backup, something breaks, restore to when it was working. :) -
I've gotten farther!
I can now connect, with my cell phone, to the OpenVPN server on pfSense! I had no problem making it work after watching some videos over again. Without changing anything, I can download the .opvn file to my tablet and connect (when on the same network). I changed the option in the Client Export Utility
Host Name Resolutionfrom "Interface IP Address" to the one listed as my "blankblank".ddns.net. That didn't work. I'm over here scratching my head as to why. I edited the file, and saw it changed the remote address to the correct hostname. So what gives? I then did another test, where I used the "Other" option, and typed in the IP address from my ISP. Now it connects! So something is wrong with the DDNS.I've noticed this a few times, and I think I might have it figured out. pfSense is reporting the correct, ISP provided, IP address. But, when I look at the logs in the OpenVPN Connect app, it shows it's resolving the DNS for the hostname to that of my IPVANISH address. It's so aggravating. Then I rememered that before doing all of this, I had an IP address reporting application installed on my computer, to constantly keep my dynamic information up to date. I never turned it off since installing pfSense and using it's methods. So everytime IPVANISH was engaged, it would change the IP address on my computer, and thus update the IP address to NO-IP. Problem may be solved! I got some further testing to do...
EDIT
I guess I was wrong. Even with that extra desktop app uninstalled, it still is resolving the IP address of my ddns to that of my IPVANISH VPN client. Uhg. -
@hansolo77 yeah use the IP address that blankblank.ddns.net points too.. in your openvpn conf file for your client.
But your going to have to forward the port your using for your vpn, default 1194 to your pfsense wan IP.
Can not stress enough it is a horrible horrible idea to directly expose rdp to the public internet..
-
@johnpoz I think I've got it now. I thought that by removing that IP Address updater program was all I needed to do, but it just wouldn't update again. After an hour it was still reporting that same IP Address I was getting from the IPVANISH VPN. So what I ended up doing was restoring my pfSense back to before I started messing with my own VPN server, and then went in and disabled the IPVANISH VPN. That ensured everything was still at a working state without the VPN running. I then did the whole shutdown and restart of the modem, pfSense, and the computer. After logging back into No-IP and seeing that the DNS was now now pointing to my correct ISP IP, I re-enabled the IPVANISH VPN. Sat for a good 30 minutes or so, checking various "whatismyip" websites to confirm everything was connected with the protected IP. All looks good so far. No-IP now has not updated to the VPN IP. So I think my original hunch was right, it just needed a kick in the butt to reset.
I've since gone back and recreated the VPN server (called it HomeVPN), and established all the keys and a user. Downloaded the client using the blankblank.ddns.net address, and was able to finally connect with it! I even disabled all the wifi and used my phone and was able to connect to the pfSense VPN server!
WOO!! Busy day! :)
Now I just need to watch it to make sure it continues to work. So, in hindsight.. I think my biggest problem was the IPVANISH VPN and my computer updating it's IP address to the dynamic dns host, causing me all kinds of headaches.
Going forward, just to make sure I'm right in the head here... I can disable (before completely removing) the port forwarded Remote Desktop ports and just connect to the computer directly right? Since I did modify the port in Windows Registry, I do still have to manually supply the port in my client. But since I'm tunneled now through the VPN, I don't have to expose those ports on the WAN anymore. Right?
-
@hansolo77 right if your going to through your vpn server you do not need to have any port forwards for rdp on pfsense.
I assume since you were able to rdp to the box from the internet before that you adjust the firewall on windows, or disabled it to allow that rdp.. So yeah it should just work through the vpn same as with your port forward. But now you don't have to worry about someone just hitting it from the internet.. The would have to be able to auth to your vpn, etc. etc. Which pretty freak impossible..
-
@johnpoz Yup. I definitely see the advantages to the VPN server for using Remote Desktop. I just wish the whole setup was easier. Granted, there's a wizard in place to make it easier already. I think pfSense as a whole is just really difficult to learn / steep curve. It helps to be smart and know a thing or two before getting into it for sure.
I really appreciate the help. Even if I was able to figure it out on my own for the most part, getting some feedback and suggestions is always nice to see.
My next challenge, now that I have this working, is pfBlocker. When I first setup pfSense that was the first thing I installed. I practically killed my internet blocking so much stuff lol. Couldn't access hardly anything on the web because I was blocking international ip's. It was ok though, I was just learning. Then I started to work with this VPN stuff and decided it was more important than blocking stuff I'm used to seeing anyway. "Here's where the fun begins" - Anakin Skywalker. :p
-
@hansolo77 said in Access a Windows Remote Desktop that is behind a pfSense OpenVPN Client?:
I just wish the whole setup was easier
Well I would say the complete opposite - pfsense is so easy to use.. Then again I have been in the biz for like 30 year ;)
Don't worry everyone starts somewhere, I just have a 30 year head start.. Well more than that, been interested and playing with IT since before there was really "IT" ;) Pet 20 computer at library, and TRS-80 at home bit later, and then commodore 64, etc.. Was fantastic when the 9600 baud modems came out, etc.
-
@johnpoz That's what I mean by being smart and knowing a thing or two. My history starts with my Dad having an Atari 800 computer when I was a born, up until he got an Atari ST. We had a 300-baud modem. I was just too young to know about it and what it was. I remember Dad switching to PC and giving me his ST. Internet was still just text based, accessible through our local library's Freenet. I spent a LONG time in MUD's playing D&D type games that were more like Infocom's with chatrooms. Had a 9600-baud that grew to 14.4, 28.8, and finally 56k. Then we got Roadrunner when it was brand new, and we could hit 200k speeds. Then we moved and had to get DSL which was limited to 128k in our area. Crazy that now we're back to the original Roadrunner ISP that's now called Spectrum (or is it Charter?) and our speeds are pushing 300mbps. I'd love to get fiber 1Gb up/down but that's not available here. My pfSense though is running on a server I bought that has 8x10GB SFP+ ports. I'm loving it. ^_^
-
I agree, pfSense could be much easier. But it is not a consumer product, it is for the enterprise and those are the ones who are willing to pay the money its cost.
