Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    set up pfSense as additional gateway into VPNs

    Scheduled Pinned Locked Moved OpenVPN
    37 Posts 2 Posters 4.1k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sgw @sgw
      last edited by sgw

      What I see and what looks suspicious:

      the Default Gateway IPv4 on the ovpn-server-side points to a specific gateway and is not set to "Automatic".

      For all the other clients it works but the routing for this one client is wrong:

      when I mtr from the server to the client side the packets are sent to def gw and not into the ovpn-tunnel

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @sgw
        last edited by

        @sgw
        As mentioned, client sites networks have to be specified once in the server settings at "remote networks" and again in the CSO.

        If they are missed in the server settins pfSense doesn't add routes.

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          sgw @viragomann
          last edited by

          @viragomann

          I don't see where to add that, and I didn't do that for the other clients.

          VPN/ Server/ OpenVPN/ Servers/ Edit ?

          used Search in Browser, not found ;-)

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            sgw @sgw
            last edited by sgw

            currently it seems to work after adding a NAT outbound rule on the client

            OpenVPN 192.168.8.0/24 * 192.168.1.0/24

            we test now

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              sgw @sgw
              last edited by

              That outbound rule editing changed something, as if there was something changed under the hood.

              Right now the admin there is able to access systems on the other side of the tunnel, as intended.

              Nothing changed on the OpenVPN server, btw.

              That NATing isn't fully correct still

              What I'd like to have:

              • server side IP should be able to ping a PC on the client side
              • server side VM should be able to access a system on the client side, with a mapped IP in the client LAN

              currently I have this, and rebooted for a check, the admin is able to access a server VM via RDP: GREAT, but not 100% yet ;-)

              08be6411-788d-4b6b-a661-70faecf7845e-image.png

              THANKS so far, I think I need some time afk now soon

              V 1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann @sgw
                last edited by

                @sgw
                Yeah, outbound NAT rules (masquerading) can be used to circumvent missing routes.
                I'd rather set the routes properly, but depends on the use-case.

                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  sgw @viragomann
                  last edited by sgw

                  @viragomann I agree but I repeat: where to set these routes? See question above. Thanks.

                  V 1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann @sgw
                    last edited by

                    @sgw
                    The "Remote networks" field is only available in peer to peer server mode. But this is, what you should set up for your use case.

                    S 1 Reply Last reply Reply Quote 0
                    • S Offline
                      sgw @viragomann
                      last edited by

                      @viragomann Ah, that explains why it feels like barking up the wrong tree ;-)

                      I hope I can run that in parallel to the other openvpn-server? (separate port, sure).

                      Thanks so far, have a nice weekend!

                      V 1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann @sgw
                        last edited by

                        @sgw
                        Yes, of course you can run multiple OpenVPN servers for different purposes.

                        S 1 Reply Last reply Reply Quote 0
                        • S Offline
                          sgw @viragomann
                          last edited by sgw

                          I set that up on the server site pfSense.

                          For the peer to peer VPN there is no Client Export, so I assume I have to set up a Server on the other site as well, also in Peer2Peer-Mode? For sure I browse the docs in a minute.

                          looking forward to solve this ;-)

                          EDIT: I see, seems I can follow this for example. So not a 2nd server but a specific client config. Will try monday or so.

                          S 1 Reply Last reply Reply Quote 0
                          • S Offline
                            sgw @sgw
                            last edited by sgw

                            I have it working mostly.

                            One more question: I found out that CSCs won't work for peer-to-peer-OpenVPN?

                            What is the way to limit access then?

                            If I have multiple vpn-users connecting to one ovpn-server I could only set fw-rules on the client-side of the vpn-tunnel, right?

                            thanks for additional insights here, I am right before setting up the 2nd client to test things in parallel (for sure with a 2nd user etc ;-) )

                            EDIT: CSC seems to work .. dunno where their admin had that info. Still testing things, good progress.

                            S 1 Reply Last reply Reply Quote 0
                            • S Offline
                              sgw @sgw
                              last edited by

                              The CSC seems to work when assigning a specific tunnel IP to the client.

                              But it seems not to work for setting (all) the routes, and for limiting the access:

                              The wish would be to set only one IP for the client to be routed etc

                              I solved it for now by adding fw-rules on the OpenVPN-interface on the server side:

                              • allow traffic from tunnel-IP x.y to server-VM a.b.c
                              • reject traffic from tunnel-subnet to rest of server-LAN

                              Seems to work right now, suggestions welcome ;-)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.