Need help with routings/rules? (pfsense as openvpn client)

soul710

hi all,

I'm trying to setup my pfsense to connect as openvpn client to our companies openvpn server. the connect itself, including pki authorization works. openvpn logs in the web-gui look fine, and when ssh-ing on the pfsense, i can ping/ssh/reach company network hosts.
i can, however, not reach anything from the remote subnet from my local network clients, i can only access it directly from the pfsense machine.

now, i'm a bit confused about how the routings and firewall rules should look like in order to enable any client in my local network to access the remote network.

the configuration is like this:

local network (10.0.0.0) –- pfsense (router/openvpn client, 10.0.0.1) --- local vpn endpoint (10.0.1.210) --- WAN --- remote endpoint (10.0.1.209) --- remote network (192.168.0.0)

the routing table on my pfsense is:

Internet:
Destination                  Gateway                      Flags    Refs      Use    Mtu    Netif Expire
default                      lo1.br56.fra.de.hansenet.net UGS         0     7447   1492      ng0
10.0.0.0                     link#2                       UC          0        0   1500      vr1
10.0.0.40                    00:1a:4d:4a:36:cb            UHLW        1    92503   1500      vr1   1158
10.0.1.209                   10.0.1.210                   UH         26        0   1500     tun0
192.168.0.0                  10.0.1.209                   UGS         0        0   1500     tun0
... etc

where 10.0.40 is my pc.
now, when i do ssh user@192.168.0.X from the shell on pfsense, i can connect. i can't, when doing this on my local pc/clients. i can ping the adress 10.0.1.210 (my local vpn endpoint) from my pc. i can't however ping the remote endpoint (i can do this from the pfsense shell). I cant traceroute the 10.0.1.210 neither:

Host:~ s710$ ping 10.0.1.210
PING 10.0.1.210 (10.0.1.210): 56 data bytes
64 bytes from 10.0.1.210: icmp_seq=0 ttl=64 time=0.430 ms
64 bytes from 10.0.1.210: icmp_seq=1 ttl=64 time=0.205 ms
^C
--- 10.0.1.210 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.205/0.318/0.430/0.112 ms
Host:~ s710$ traceroute 10.0.1.210
traceroute to 10.0.1.210 (10.0.1.210), 64 hops max, 40 byte packets
 1  * * *

i tried googling quite a bit, and so far i tried assigning a new interface (tun0 -> 'VPN', enabled, ip address 'none'), and adding a rule to permit traffic (had no effect). i also disabled any auto-added openvpn firewall rules (although i could not find any auto-created rules?), but didnt help.

so can someone guide me to the correct configuration?

GruensFroeschli

The route TO the company works.
The problem is: the router at your company does not know where to send the response.

Two ways to solve:
1: Add a route on your company's OpenVPN router.
2: NAT into the OpenVPN tunnel.

Usually i would suggest 1. But i dont think this is feasible in your case.

I'm not sure if 2. works.
It "should"…. (I never tried).

Did you follow the steps to be able to firewall the OpenVPN interface?
If yes: enable AoN (firewall --> NAT --> outbound --> "manual NAT rule generation"
And create a rule for your local subnet with as NAT interface the OpenVPN interface.

danswartz

I've done #2 sucessfully (not with pfsense, but a linux gateway, but same principle.)

soul710

@GruensFroeschli:

The route TO the company works.
The problem is: the router at your company does not know where to send the response.

Are you sure about this? Just to clearify:

On my pc (ip 10.0.0.40), ssh user@192.168.0.x won't do anything.

When ssh'ing from 10.0.0.40 to my pfsense box (ip 10.0.0.1), issuing ssh user@192.168.0.x from there will successfully establish a ssh session between pfsense-box & company network hpst.

Just today i tried the other way round, by leaving the openvpn running and connecting to my pfsense box from work. executing ssh root@10.0.1.210 on my linux box at work successfully connected to my pfsense-box at home.

this leaves me thinking that someting between local clients & pfsense box is wrong, be it firewall or routings. i havent tried to actually connect to any pc behind the pfsense though, i might try tomorrow.

i just tried the manual nat as well, but it didnt change anything :(

GruensFroeschli

Are you sure about this?

Yes i am sure.
Your setup is the classic stumbling block if you're not really familiar with routing.

I just tried the manual nat as well, but it didnt change anything Sad

Please describe a little more detailed what you did.
Can you show a screenshot of your AoN rules?

soul710

@GruensFroeschli:

Are you sure about this?

Yes i am sure.
Your setup is the classic stumbling block if you're not really familiar with routing.

I just tried the manual nat as well, but it didnt change anything Sad

Please describe a little more detailed what you did.
Can you show a screenshot of your AoN rules?

Hi there, i just got it to work :) The NAT rule i added yesterday had the subnets configured. Now  just tried adding a new NAT rule for the vpn interface and any subnet, now everything works :)

thanks for your support :)