RDP to OpenVPN Client

medicshelley

I have OpenVPN working for Win client into lan but would like the ability to RDP to a client. I'm sure its as simple as adding a NAT or rule but not sure actually how to set it up. Would anyone be able to point me in the right direction?

medicshelley

Haha classic I didn't think to look on the Client (Win 7) if it had defaulted the connection to public. Its the little things that can screw ya.

bellera

I'm also interested to access to connected (by OpenVPN) road warriors for maintenance (RDP and/or VNC).

I can't found how to do.

bellera

Similar to post http://forum.pfsense.org/index.php/topic,43676.0.html …

I can ping the road warrior from pfSense itself but not from a PC at pfSense LAN.

And the road warrior has access to LAN machines.

phil.davis

1. @bellera - I had policy-based routing rules on my LAN that were feeding packets from LAN to all into a gateway group, which went out to the real internet. If you have anything like that, the rule will need to exclude packets with destination VPN. I make an alias for all the tunnels and other subnets reachable across VPN links, then adjust my policy-based routing rules for general internet to source: LAN subnet, destination: !VPNalias
   From your description, the routing should be simple and working, it is most likely a firewall rule that is mis-directing a flow that is initiated from LAN with destination across the VPN tunnel.

2. For the benefit of other readers, Windows7 and Windows8 consider networks without a default gateway to be "Unidentified". Then Windows does not ask the user if the network is private or public - it just sets it to public. Then the Windows Firewall settings for public are applied to the Windows PC. To open up remote access you would have to open up things on Windows Firewall Public settings.
   This default can be changed - Control Panel, Administrative Tools, Local Security Policy, Network List Manager Policies, Unidentified Networks, change Location Type to Private.
   Now, if Windows thinks it can't identify a network, then it will set it to Private. Your OpenVPN tunnel to your corporate network will be considered private and you can open up whatever you want on the Windows Firewall Private settings, leaving the Public settings blocking most everything.

bellera

The routing should be simple and working, it is most likely a firewall rule that is mis-directing a flow that is initiated from LAN with destination across the VPN tunnel.

I know, but it doesn't work for me & other people (spanish forum).
A tracert from my administration computer at LAN allways shows the traffic going to the internet, no matter wich policy routing I'm using at LAN rules. In fact, if I change the gateway  I can see the tracert going outside with the choosed gateway. The traffic originated at LAN with destination the road warrior never enters to the tunnel.

Then the Windows Firewall settings for public are applied to the Windows PC. To open up remote  access you would have to open up things on Windows Firewall Public settings.

You are right and this is applicable to any computer having a personal firewall. For testing, it helps to disable personal firewalls.

rafaurl

I have pfsense as openpvn server for 60 roadwarriors and I can connect with rdp to all of them.

Are roadwarriors windows vista/7/8? If so, run the following script (rename as .cmd) as administrator to fix connectivity issues with unidentified networks. I guess that you have already check that client has remote connections enabled and firewall turned off (for testing purposes).

off topic: por cierto, Josep, que lo tengo en una placa alix y todo empezó animado por tus tutoriales, así que muchas gracias por tu trabajo :)

openvpn_fix_adapters.txt

bellera

No, my "testing" road warrior is not a Win Vista/7/8. I'm just testing it with Linux Ubuntu, without (personal) firewall.

I will test too with WinXP without (personal) firewall.

But I'm convinced that there is some missing route in my "testing" pfSense. I said "testing" pfSense but in fact is my first & production pfSense, upgraded many times. However, other people say to have the same trouble.

off topic: por cierto, Josep, que lo tengo en una placa alix y todo empezó animado por tus tutoriales, así que muchas gracias por tu trabajo :)

¡De nada! Contento de ser útil
I'm happy to helped you!

This thread has a Spanish version at http://forum.pfsense.org/index.php/topic,59116.0.html

phil.davis

Can you post your policy-routing rules from LAN to the various gateways?
And what version of pfSense are you running?
(I fixed a problem with using "not" in rules on 2.1-BETA a while ago - as far as I could see, the problem was an accidental regression in 2.1, and the code in 2.0.n should be fine)

bellera

Finally it works!

I had two errors:

• Incorrect manual NAT Outbound
• Incorrect policy routing at LAN, as you said.

$ pfctl -s rules | grep VPNs
pass in quick on em0 inet from <adm_pcs> to 192.168.XXX.0/22 flags S/SA keep state label "USER_RULE: Access from LAN to VPNs"</adm_pcs>

em0 is my LAN
adm_pcs is my alias for administrator's computers at the LAN side.
192.168.XXX.0/22 covers all my OpenVPN networks (I have many OpenVPN servers running).

Version 	2.0.1-RELEASE (i386)
built on Mon Dec 12 19:00:03 EST 2011
FreeBSD 8.1-RELEASE-p6

Many thanks!