After connecting
-
Hello.
Well I have a pfsense gateway box running a open vpn server and a home network behind it with a samba server running.
I'm able to successfully connect to my open vpn server from the internet and receive a 10 dot IP address.
I'm wondering what is next? How can I access this samba server? I'm also wondering how I can use the pfsense internet connection to surf the web, road warrior style.
I have gone through the guides but I'm still struggling
Some direction would be great.
Thanks in advance for your time.
-
the openvpn server is running on pfsense, right ?
To force all traffic from the roadwarrior to the pfsense then you need to check "Redirect all traffic through VPN" on the OpenVPN server GUI config.
Then go to firewall -> rules and create an "allow any to any" rule on the OpenVPN tab.
In general this should be enough to access hosts behind pfsense and browse the web through VPN -> pfsense -> WAN
-
Lets start with your current settings (server and client). Then tell us exactly what is not working.
-
Thanks for your relply.
Yes the VPN server is on the pfsense.
I did what you said Nachtfalke and clicked "redirect all traffic…." and then created a rule. for pass any any.
Still I was unable to see my samba machine.
When I'm pinging it what address should i use?
@ marvosa
Client settings are set to use config file which looks like this
dev tun persist-tun persist-key proto tcp-client cipher AES-128-CBC tls-client client resolv-retry infinite remote **.***.**.** **** tls-remote steedman auth-user-pass pkcs12 gatekeeper-TCP-****.p12 tls-auth gatekeeper-TCP-****-tls.key 1As for the server settings which ones do you want to know? there seems to be so many that I went through to set it up.
The server logs say that I receives a connection. I would like to browse my networks in explorer and see my samba server after i have connected to the VPN also i would like to surf via the VPN out of the pfsense WAN.
Thanks again.
-
When you setup a firewall "any to any" and you setup "redirect all traffic…" then you should be able to browse the web using the pfsense WAN.
Try to check this on a website which displays your public IP.
-
What server settings? All of them. Either take screen shots, post them manually or get them from your server1.conf (/var/etc/openvpn).
-
@ marvosa
Ok thanks for letting me know where the .conf file was…. here is its content.dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local **.***.***.** tls-server server 10.1.5.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport **** management /var/etc/openvpn/server1.sock unix max-clients 2 push "route 192.168.1.100 255.255.255.0" push "redirect-gateway def1" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key -
UPDATE
Success in part!!! I can now surf the web via the pfsense box.
My error was having the Subnet of the LAN set as a common one (192.168.0.1) such that the remote network had the same and conflicted.
I changed the IP of the LAN to a different Subnet and changed the DHCP address pool range also to coincide. It was also necessary to tell the Access Point about this change.
I am still unable to view my network behind the pfsense box however.
Thanks to Nachfalke for turning me on to the "redirect traffic …" settings and to Marvosa for showing me the .conf file which when I stared at enough seemed to show me the possible problem to look into more.
I'm going to try the AP settings first to see if a problem there is stopping me get through to the Samba server.
-
Try to do something simple to test the connection behind your pfsense:
do a ping
do a tracert
make sure that the destination host (host behind pfsense) allows traffic from hosts on your VPN network. Disable the firewall for testing on these hosts.How do you connect to your samba server - by IP ? \ip.ip.ip.ip\share ?
Is the accesspoint doing NAT or routing or is it just acting as a wireless bridge ? IIn bridge mode it should be ok/work.
When doing routing on the AP then you need to define additional routes on OpenVPN Server. -
@ nachtfalke
The AP is in bridge mode so I guess the problem is not there.
I access the samba server Via explorer where it appears under "network".
So from what your saying its most likely a fire wall rule ( or lack there of )that allows traffic from samba server to VPN?
OR
Settings on the samba server itself???
Thanks again.
-
@ nachtfalke
The AP is in bridge mode so I guess the problem is not there.
I access the samba server Via explorer where it appears under "network".
So from what your saying its most likely a fire wall rule ( or lack there of )that allows traffic from samba server to VPN?
OR
Settings on the samba server itself???
Thanks again.
If you have "any to any" on OpenVPN firewall rule this should be ok.
Firewall on samba server - the firewall must allow traffic from the OpenVPN network - if your samba server has a firewall enabled.
On OpenVPN server GUI try to enable:
"Enable NetBIOS over TCP/IP" and try with "h-node" or some other setting.Which protocol and port do you use to connect to the samba server ?
enable logging on the OpenVPN firewall rule to get this information. -
Assuming you can ping across the VPN, on the server make sure you have the NMB service enabled and then put it's IP address under the WINS field in OpenVPN config.
-
Success
Ok Thanks again.
I can now access my "\server\guest share" over the VPN
Not sure if it was enabaling netbios or adding WINS server or neither.
When I get a second i'm going to back both of these off and see which one it was or if it was just user error and the problem was in fact fixed after I sorted the IP conflict.
I Am one happy Pfsense/OpenVpn user.
-
It's both. NMBD or WINS is the only way to resolve NETBIOS names in a routed VPN solution.
And the "Enable NetBIOS over TCP/IP" check box, it tells you right next to it:
"If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled."
So, the answer is both.
-
You can do it without WINS, actually, but you will need something else (DNS, hosts file, etc) to resolve your names.
-
Doing it without WINS would be nice as I read that WINS is open to abuse and unreliable (wiki) Thanks for the info Extide.
So its as simple as editing my host file to resolve the name of the server to the IP?
-
Yes, you can do it that way. As long as you have NetBIOS over TCP/IP and can ping the server by name (which should resolve into the IP) you should be good to go.
-
In that case say your fqdn is server.something.tld place something.tld in "DNS-Domainname," pfsense LAN IP in "DNS-Server" and make sure you can resolve fqdn through pfsense (place it in Services > DNS Resolver) and you should be able to open up \server as well.
Disable nmb service, remove WINS from OpenVPN and don't forget to reconnect.