Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access to Proxmox from outside (OpenVPN client)

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 2 Posters 428 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dvb
      last edited by

      Hi,

      I am testing a configuration in Homelab environment using Proxmox PVE + OpenVPN + pfsense.

      OpenVPN server is running fine on pfSense, client is connected, but I have an issue :

      This working :

      • external client can connect to VM on vlan50.
      • external client can connect to WIFI AP on vlan444.

      This NOT working :

      • external client can't connect to Proxmox VE -> KO

      Architecture :
      b55ddb21-de3f-4393-bef8-705c75e62044-image.png

      Open VPN fw rules :
      c8060a17-0436-473e-8f75-25553a6f3800-image.png

      In brief, external Open VPN client can access to a physical device on vlan444, but not to pfsense VM on vlan444, despite acces rules.

      I probably I missed something in configuration.
      Could you please help me to find this ?

      Thank you.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @dvb
        last edited by

        @dvb said in Can't access to Proxmox from outside (OpenVPN client):

        This NOT working :

        external client can't connect to Proxmox VE -> KO
        

        but not to pfsense VM on vlan444

        Proxmox or pfSense?

        If it's Proxmox ensure that it uses pfSense as default gateway or masquerade the traffic to it.

        D 1 Reply Last reply Reply Quote 0
        • D
          dvb @viragomann
          last edited by

          @viragomann said in Can't access to Proxmox from outside (OpenVPN client):

          Proxmox or pfSense?

          Proxmox

          @viragomann said in Can't access to Proxmox from outside (OpenVPN client):

          If it's Proxmox ensure that it uses pfSense as default gateway or masquerade the traffic to it.

          Sorry it's not enough clear to me.
          This rule must authorize traffic from external client to Proxmox :

          138f3785-426a-4ff3-81bd-d283b7ed2e8e-image.png
          3cd9cf3a-2505-4dc9-9197-88e4b59c7c72-image.png

          Here is gateway configuration from Proxmox :
          c55602ad-9b18-4341-924e-234f41bd23bf-image.png
          106a6d42-c76a-4bd3-a76f-46ce1b3d6bdd-image.png

          Could you explain what I need to add ?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @dvb
            last edited by

            @dvb said in Can't access to Proxmox from outside (OpenVPN client):

            Sorry it's not enough clear to me.
            This rule must authorize traffic from external client to Proxmox :

            In fact, and I was not in doubt of that.

            Here is gateway configuration from Proxmox :

            Well, 172.16.10.254 is the gateway on Proxmox, but without knowing, which device is this IP assigned to this information is pretty useless.

            Could you explain what I need to add ?

            This depends on what you want to achieve. If the gateway is not pfSense and you want to keep this, then you can masquerade the traffic to Proxmox with an outbound NAT rule.

            D 1 Reply Last reply Reply Quote 0
            • D
              dvb @viragomann
              last edited by

              @viragomann

              Here is an updated schematic with more informations :
              0e396b6c-72bd-4140-8a50-0b6dd2c29d4d-image.png

              I retried to connect theses 2 devices :

              • I checked OpenVPN rules
                6dcc7e1b-2eab-4c8b-a323-3f56c48c74b3-image.png

              • Rules are identicals, and devices are on the same vlan.

              • Proxmox uses pfSense as default gateway
                e5c1c4e7-57d7-4a8c-b900-c9c305b457b4-image.png

              -> OpenVPN client -> VM Proxmox (172.16.10.21) -> KO
              -> OpenVPN client -> physical device (172.16.10.100) -> OK

              At this point :

              • I don't understand why traffic can reach 172.16.10.100, but not 172.16.10.21.
              • Do you confirm it could be solved by adding a rule here ?
                aad149f7-912c-4617-a5a1-58a3887d3eea-image.png
              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @dvb
                last edited by

                @dvb
                So the only reason for this, I can think of, is that Proxmox itself blocks access from outside by it's own firewall.

                But yes, a masquerading (outbound NAT) rule can also circumvent such firewall restriction.

                Enable the outbound NAT hybrid mode.
                Add a rule:
                interface: vlan444
                source: 10.10.10.0/24 (OpenVPN tunnel network)
                destination: 172.16.10.21 (Proxmox)
                translation: vlan444 address

                D 1 Reply Last reply Reply Quote 0
                • D
                  dvb @viragomann
                  last edited by

                  @viragomann
                  It's working, thanks a lot !

                  I've a few questions about this configuration.

                  1. Firewall / NAT / Outbound
                    I configured Destination with IP 172.16.10.21, but pfSense registered as network. It seems this setup is using only networks, no individual IP. -> No problem with that ?
                    Set-up :
                    c6efa9fd-a3cb-4a5d-b474-c20c35ac4292-image.png
                    Results :
                    511e3e61-5bdc-4a8d-a358-a9db67711b1f-image.png

                  2. Outbound vs OpenVPN
                    I summarize because it could help other users :

                  • To access to a vlan or a device (except Proxmox)
                    -A single rule in OpenVPN make the job.

                  • To access to Proxmox server
                    -A first rule in OpenVPN
                    -A second rule in Outbound (to circumvent fw restriction).
                    -> Are you OK with this summary ?

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @dvb
                    last edited by

                    @dvb said in Can't access to Proxmox from outside (OpenVPN client):

                    I configured Destination with IP 172.16.10.21, but pfSense registered as network. It seems this setup is using only networks, no individual IP. -> No problem with that ?

                    To limit the rule to a single IP, enter the IP with a /32 mask.

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      dvb @viragomann
                      last edited by

                      @viragomann said in Can't access to Proxmox from outside (OpenVPN client):

                      o limit the rule to a single IP, enter the IP with a /32 mask.

                      Effectively !
                      Thanks again for your support.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.