pfsense as openvpn server behind fortigate 40F

dutchie

Hello all,

After using Pfsense for more then a decade as my primary router which worked perfectly,
I now have gotten a new fortigate 40F (to play with) as a new router.

I am running some openvpn tunnels on the pfsense box (sitting behind the fortigate)
and i would like to get this working again, as my tunnels are currently not able to connect

text layout of connections is:

internet/dsl modem >> DMZ>> fortigate

Fortigate has 3 connections that i can use for the vpn stuff:

(1) wan to the internet
(2) my main lan subnet >> connected to lanport on the pfsense box (dhcp on lan turned off)
(3) seperate 172.16.x.y subnet to connect to the wanside of pfsense

Portforwarding works on the fortigate, and i am seeying "hits" on the Virtual IP (portforward rule)

i cannot get my tunnels to work.

Could someone please help me ?

viragomann

@dutchie said in pfsense as openvpn server behind fortigate 40F:

Fortigate has 3 connections that i can use for the vpn stuff:

(1) wan to the internet
(2) my main lan subnet >> connected to lanport on the pfsense box (dhcp on lan turned off)
(3) seperate 172.16.x.y subnet to connect to the wanside of pfsense

It's not gonna to work this way.
Connect only a single pfSense interface to the Forti.

I assume, the devices which you want to access over the VPN are connected to 2. So remove this from pfSense. Also remove the interface IP or disable the interface.

I assume, that you have already set the Fortigate 3 IP as default gateway on pfSense. Then nothing else should be necessary on pfSense to access LAN devices from your VPN.
Just allow it on the Forti.

If you need also to access the remote sites go to the WAN settings and remove the "Block private networks" check.
And on the Fortigate add static routes for the remote networks and point them to the pfSense WAN IP and allow the desired traffic.

dutchie

Hello Viragomann,

Thank you for taking the time to help me with this,

Let me clarify a bit more on how it is running:

Internet/dsl (modem has DMZ to wan of Fortigate)
Fortigate has multiple interfaces:

1 for WAN
1 for internal main lan (192.168.0.x)
1 acts as a WAN to the pfsense box

The pfsense machine was my previous router, and currently i want to use it as my vpn server, because my tunnels are all Openvpn based (older consumer routers flashed with ddwrt to create an openvpn tunnel, which has worked flawlessly for the last years)

As per your instructions, i've disabled the wan interface on the pfsense box and added a static gateway (the internal IP of the fortigate)

The "block private networks" has allready been done

Regarding the static networks: you mean the tunnel network or the Lan side network on the other side needs to be filled in?

very appriciate your help

viragomann

@dutchie said in pfsense as openvpn server behind fortigate 40F:

As per your instructions, i've disabled the wan interface on the pfsense box and added a static gateway (the internal IP of the fortigate)

No, my instruction was to remove pfSense from the LAN.

pfSense must not be connected to the same subnet as the devices you want to access from the VPN clients if it isn't the default gateway. Otherwise you would have add static routes for the remote networks to any device, you want to access.

dutchie

Hello Viragomann,

the vpn devices are not connected to the lan,

They are all outside of the lan.

the Pfsense is connected to the lan, has an ip in the subnet of my lan.

The devices that need to connect to the pfsense are the remote endpoints, they connect in as clients

rafoponce

@dutchie I just configured a Pfsense OpenVPN Server behind a Fortigate 60E. Basically I've done this:

1. Create a subnet between Pfsense WAN and FortiGate LAN (done as I can see). You should ping each other.
2. Configure your Pfsense default gw to take the Forti IP
3. Create at least 2 Virtual IP entries:

• VIP1: WAN Forti IP port 20443 >> PFSENSE WAN IP port 443 or the port that you use for web access
• VIP2: WAN Forti IP port 1194 >> PFSENSE WAN IP port 1194. This is for OpenVPN access

4. Create a Firewall Policy for permit the cx from the Pfsense LAN to Internet (all)
5. In your Open VPn config file you wouldn't need to change your IP since is the same that you use in Forti. Cx would reach the same IP in the port 1194.

Hope you get this thing done.

Gertjan

@dutchie said in pfsense as openvpn server behind fortigate 40F:

The pfsense machine was my previous router, and currently i want to use it as my vpn server, because my tunnels are all Openvpn based

Yeah, ok, but wait : you also said :

@viragomann said in pfsense as openvpn server behind fortigate 40F:

(2) my main lan subnet >> connected to lanport on the pfsense box (dhcp on lan turned off)

So, even when the pfSense based OpenVPN clienst will conenct just fine through any upstream router (your Forigate, and any number of upstream ISP routers), you wind up, or LANs are not pfSense LANs, but somewhere other side, on pfSense WAN.

You are making your setup very strange.
Forigate can't handle OpenVPN ?

zachhcaz

I have a setup behind a FortiGate and use a DMZ and a LAN for pfsense. So I'm not port forwarding form the internet into my lan and can have strict firewall policy on the wan side, into the Fortigate DMZ \ pfSense WAN.

Then the lan side of pfSense is more of a transit network and not part of my actual lan on the Fortigate, allowing me to also place explicit rules on what can cross into my lan and other network from the VPN connection.

Internet > FortiGate(DMZ) > pfSense(WAN)
pfSense(Lan\Transit) > Fortigate(Transit) > Fortigate LAN, Guest, IOT, NOT (Network of things, No internet access) and more.

You will need to be aware of port forwarding, firewall rules, routing to set this up correctly.

I'm guessing your issue was port forwarding or firewall rules on the Fortigate.