OpenVPN questions and issues
-
Hello all. I have set-up OpenVPN using the Road Warrior guide, it works ok but I have some questions and issues. First of wall I have 3 remote points and I want to make that then they connect to VPN all their Internet traffic is directed to the main office gateway. Also another issue for me is that I want then I am connected to VPN gateway to see the internal office windows workgroup.
If this has been already discussed here please don't blame me for raising this issues again. Thanks a lot.
-
For the first - that's just a matter of pushing the relevant routes and is covered by the OpenVPN documentation.
For the second - that's a Windows networking problem. You'll need to make use of WINS servers if you want browsing to work.
-
Thank's a lot. I have already discovered it last night, but didn't reply here.
But when i put option push "redirect-gateway" it indeed makes all traffic go to the OpenVPN, but how can I make the NAT'ing to the OpenVPN subnet.
For the other issue i will have to work on it because I don't use WINS on my network.
I have discovered one more issue.
On my network I have 3 servers.
2 Windows 2003 that are used as Terminal Servers for an accounting application. They work perfectly pinging and connecting rdp session.
The 3-rd server is an Win XP machine providing folder sharing…I know this is stupid but it was left by the old system administrator and has a lot of data on it so no way to reinstall it now.
So this machine doesn't ping and no rdp connection to it when trying to ping it from the vpn client...but when connected thru rdp to win2003 machines it does ping and work. I can ping it when ssh to pfsense. Any thoughts about this?
Thank's a lot.
-
But when i put option push "redirect-gateway" it indeed makes all traffic go to the OpenVPN, but how can I make the NAT'ing to the OpenVPN subnet.
Not.
It's not possible to NAT into the VPN tunnel. (currently, should be possible with 2.0)
Though you can do the opposite –> NAT everything from the tunnel to the IP of the pfSense.Why would you want to NAT something going into the tunnel?
Your issue with the windows XP machine sounds like the firewall on the XP machine itself is activated. (or some other firewall).
Edit: now that i think about it.....
With 1.2.3 it's possible to create firewall rules for the OpenVPN interface.
I'm not sure if this works, but if you follow the instructions to set up firewall rules for the OpenVPN interface, the OpenVPN interface "should" be treated like a normal interface. Meaning after you assigned it, it should show up in the dropdownlist of the NAT rules.To create an outbound NAT rule go to firewall-->NAT-->outbound and activate "manual outbound rules". Then you can specirfy below your own rules how traffic should be NATed.
Creating a rule with as Interface the OpenVPN interface, source any, destination any "should" do the trick (if this even works... i'm just speculating here). -
Guess I will wait for 2.0 version…hope it will be released soon...I tried the manual outbound nat but it doesn't work.
-
So you did assign the OpenVPN interface first under firewall–>assign?
-
no I did not…I use 1.2.2 now and guess this is impossible at the moment
-
Well if i'm right this would already be possible with 1.2.3 and you dont have to wait for 2.0 (which is still at least a year away until we first see a beta/RC).
Since 1.2.3 is RC it wont be long until its status will be changed to RELEASE.But you still didnt answered why you want to NAT into the tunnel in the first place :)
-
I have 3 shops in the city they all now have direct connection to the internet and connect to rdp via port redirection. I am working on installing vpn clients on them and want to direct all their traffic via main office gateway on which I have installed squid as transparent proxy with squid guard to filter their traffic and don't allow them to access unwanted sites in the working hours.
-
I dont see why you would need NAT for this.
The push "redirect-gateway" should take care that nothing goes directly to the internet.Or what was your idea behind NATing everything?
-
They need the internet but don't need access to different sites like dating, social networks, etc…I have already done this for the main office and indeed the option push gateway routes everything to the VPN but then they have no Internet.
-
Well you need an OUTBOUND NATrule.
@http://forum.pfsense.org/index.php/topic:
Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.(screenshots to clarify: http://forum.pfsense.org/index.php/topic,7693.0.html )
This might create a problem for FTP with multiWAN
more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810So you dont want to actually NAT "INTO" the tunnel, but NAT "FROM" the tunnel.
This already works perfectly. -
Thank's it helped a lot everything is clear to me now. But now when I connect to server via VPN i have acces to all the sites. Is there a way to push all the traffic into squid?
-
Not sure on that.
I dont really know squid.
You probably need to configure it so it listens on the OpenVPN interface as well.You most likely find more help on this if you open a new thread in the packages subforum.
-
This is solved. I managed to have the remote clients go thru the office gateway and the Win XP machine had as default gateway the old gateway in the office.
