OpenVPN questions and issues

GruensFroeschli · Jun 23, 2009, 9:19 AM

So you did assign the OpenVPN interface first under firewall–>assign?

LordZ · Jun 23, 2009, 9:57 AM

no I did not…I use 1.2.2 now and guess this is impossible at the moment

GruensFroeschli · Jun 23, 2009, 10:06 AM

Well if i'm right this would already be possible with 1.2.3 and you dont have to wait for 2.0 (which is still at least a year away until we first see a beta/RC).
Since 1.2.3 is RC it wont be long until its status will be changed to RELEASE.

But you still didnt answered why you want to NAT into the tunnel in the first place :)

LordZ · Jun 23, 2009, 12:24 PM

I have 3 shops in the city they all now have direct connection to the internet and connect to rdp via port redirection. I am working on installing vpn clients on them and want to direct all their traffic via main office gateway on which I have installed squid as transparent proxy with squid guard to filter their traffic and don't allow them to access unwanted sites in the working hours.

GruensFroeschli · Jun 23, 2009, 12:43 PM

I dont see why you would need NAT for this.
The push "redirect-gateway" should take care that nothing goes directly to the internet.

Or what was your idea behind NATing everything?

LordZ · Jun 23, 2009, 2:45 PM

They need the internet but don't need access to different sites like dating, social networks, etc…I have already done this for the main office and indeed the option push gateway routes everything to the VPN but then they have no Internet.

GruensFroeschli · Jun 23, 2009, 2:52 PM

Well you need an OUTBOUND NATrule.

@http://forum.pfsense.org/index.php/topic:

Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.

(screenshots to clarify: http://forum.pfsense.org/index.php/topic,7693.0.html )
This might create a problem for FTP with multiWAN
more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810

So you dont want to actually NAT "INTO" the tunnel, but NAT "FROM" the tunnel.
This already works perfectly.

LordZ · Jun 23, 2009, 9:43 PM

Thank's it helped a lot everything is clear to me now. But now when I connect to server via VPN i have acces to all the sites. Is there a way to push all the traffic into squid?

GruensFroeschli · Jun 23, 2009, 10:30 PM

Not sure on that.
I dont really know squid.
You probably need to configure it so it listens on the OpenVPN interface as well.

You most likely find more help on this if you open a new thread in the packages subforum.

LordZ · Jun 25, 2009, 6:40 AM

This is solved. I managed to have the remote clients go thru the office gateway and the Win XP machine had as default gateway the old gateway in the office.