PfSense as OpenVPN server only

mrbostn · Dec 13, 2012, 10:03 PM

Hi, Just need some pointers on getting this to work…

Can I put a pfSense box either behind or in front of a Sonicwall and have the Sonicwall Continue doing what it's doing-but have pfSense act as the OpenVPN server? The Sonicwall VPN client cost $$ and it's not working well on Macs.

Thank you

heper · Dec 14, 2012, 7:33 AM

yes

mrbostn · Dec 14, 2012, 12:41 PM

@heper:

yes

Thank you.

Would you recommend the pf box be In front of or in back the Sonicwall? I was thinking in back of the Sonicwall with port 1194 forwarded from the Sonicawall to pfSense.

GruensFroeschli · Dec 14, 2012, 12:41 PM

That depends on your network setup.

If it is in front, then traffic from the OpenVPN server will have to pass though the Sonicwall.
–> Allows you to handle OpenVPN traffic with rules on the Sonicwall.

If it's behind the sonic wall, you will have to handle access-right on the pfSense itself (basically you need to manage two sets of firewall rules).
Also if it's behind the sonic wall: Your clients will probably have the sonicwall as default gateway.
--> Traffic from OpenVPN will need to be sourceNATed on the pfSense (not so much desirable...) or all clients/server have a static route pointing to the pfSense (also not desirable) or you have static routes on the sonicwall which also might lead to problems (traffic going in and out on the same interface).

mrbostn · Dec 14, 2012, 12:44 PM

@GruensFroeschli:

That depends on your network setup.

If it is in front, then traffic from the OpenVPN server will have to pass though the Sonicwall.
–> Allows you to handle OpenVPN traffic with rules on the Sonicwall.

If it's behind the sonic wall, you will have to handle access-right on the pfSense itself (basically you need to manage two sets of firewall rules).
Also if it's behind the sonic wall: Your clients will probably have the sonicwall as default gateway.
--> Traffic from OpenVPN will need to be sourceNATed on the pfSense (not so much desirable...) or all clients/server have a static route pointing to the pfSense (also not desirable) or you have static routes on the sonicwall which also might lead to problems (traffic going in and out on the same interface).

Understood…My thinking was in back-as I just modified my post a few minutes ago to reflect that-turns out not a good idea.

I'll look to put it in front of the Sonicwall. Thank you for the input.

heper · Dec 14, 2012, 2:52 PM

depending on what is considered "front" & "back"

personally i'd go:

internet <--> sonicwall <--> LAN clients + Pfsense

or even better:

Internet <--> Pfsense <--> LAN clients

pfsense can handle firewalling/router + openvpn at the same time if you don't have unreasonably high bandwidth requirements.

GruensFroeschli · Dec 14, 2012, 4:37 PM

@heper:

personally i'd go:

internet <--> sonicwall <--> LAN clients + Pfsense

I disagree.
You'll run into the problems i described above.
Of course if your roadwarriors only need access to some servers, then it's probably easier to just add static routes on the servers.
But with this setup you will have a headache getting the roadwarriors to connect to local clients.

mrbostn · Dec 14, 2012, 7:00 PM

@heper:

depending on what is considered "front" & "back"

personally i'd go:
internet <--> sonicwall <--> LAN clients + Pfsense
or even better:
Internet <--> Pfsense <--> LAN clients
pfsense can handle firewalling/router + openvpn at the same time if you don't have unreasonably high bandwidth requirements.

I'd love to get rid of the Sonicwall but that won't happen. Basically the company has an an IT person, but I help him with projects on occasion. He's been asking me to look for a way to get Mac clients to connect from home via vpn. He tells me that the Sonicwall client is buggy.

Which led me to thinking I could utilize OpenVPN on pfSense. Thanks to you both.

jimp · Dec 18, 2012, 2:51 PM

It's not quite as problematic as others have mentioned here. We have quite a few customers running this way.

Just add pfSense either in parallel to, or behind the SonicWALL.

Add a static route on the SonicWALL that points your mobile client subnet at the pfSense firewall's IP.

On pfSense, make sure you check System > Advanced, "Bypass firewall rules for traffic on the same interface"

Everything should route happily and as expected. There may be a rare occasion where some mildly broken TCP stack doesn't obey the ICMP redirects for such a route but it's not that common.

We have one customer running a sizable call center using a SonicWALL and pfSense in this type of scenario (SonicWALL as default gateway, pfSense as VPN router), and they have no problems.

GruensFroeschli · Dec 18, 2012, 5:59 PM

Oh it not that problematic if you know what you are doing.
I run it this way myself In multiple locations :)
Just saying that if you have unexpected results it might be another thing which can be the source of trouble.

deagle · Dec 20, 2012, 4:32 PM

In this type of setup, where pfsense only has one interface, would it be the LAN or WAN?

jimp · Dec 20, 2012, 5:02 PM

It depends on how you set it up.

If you only have one interface, it would be WAN.

If you set it up in parallel instead of behind, then it would have two (one external wan, one internal lan)

deagle · Dec 20, 2012, 7:12 PM

Thanks guys, I too was missing the static route back into the vpn subnet. It works great now with using just the wan interface.