PfSense as OpenVPN Server behind another firewall
-
Hi all,
I've placed an old PC-Engines WRAP at a friend's network. He's using another firewall so pfSense has firewall'ing and NAT disabled. I also disabled the WAN interface…
The Portforwardings on his firewall are working fine and OpenVPN get's connected, additionally there's SSH forwarded so I can always access the WRAP.
BUT: I can only ping my WRAP but not his network
Here's how it's setup:
MacBook (Viscosity) {LAN -> 10.10.10.0/24} - INET {OpenVPN 10.8.0.0/24} - Firewall - WRAP (pfSense 2.0.1) {192.168.10.0/24}
Server Config on WRAP:
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.10.199 tls-server server 10.8.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 3 push "route 192.168.10.0 255.255.255.0" client-to-client duplicate-cn ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo persist-remote-ip float
Viscosity Client Config from "Client Export":
#-- Config Auto Generated By Viscosity --# #viscosity startonopen false #viscosity dhcp true #viscosity dnssupport true #viscosity name Any Name remote any-name.dyndns.org 1194 tcp-client pull tls-client tls-auth ta.key 1 persist-key ca ca.crt dev tun persist-tun cert cert.crt comp-lzo adaptive key key.key cipher AES-128-CBC tls-remote openvpn.any-name.local resolv-retry infinite
Here's the output of "netstat -r"
Internet: Destination Gateway Flags Refs Use Netif Expire default firewall UGS 0 19385 sis0 10.8.0.0 10.8.0.2 UGS 0 81 ovpns1 10.8.0.1 link#8 UHS 0 0 lo0 10.8.0.2 link#8 UH 0 0 ovpns1 localhost link#5 UH 0 3325 lo0 192.168.10.0 link#1 U 0 9680 sis0 openvpn link#1 UHS 0 0 lo0
Do I need to add a route? But the Dialog for adding one needs a Gateway and the only Gateway available is his firewall… So I expect I'ld need to add the WRAP himself as a Gateway before adding a route... I'm puzzled!
Greetz
Mircsicz -
The clients on his LAN 192.168.10.0/24 will be using his "real" firewall router as their gateway. So they do not know about the "special" route to your OpenVPN 10.8.0.0/24 through pfSense 192.168.10.199
a) On the friend's "real" router, add a static route for 10.8.0.0/24 through 192.168.10.199, or;
b) On each device you care about in 192.168.10.0/24, add a static route.
Then those things will know how to reply to you. -
Hi Phil,
Sorry I did not make clear that I can't Ping from the MacBook to his LAN…
Greetz
Mircsicz -
The ping from your MacBook to his LAN probably arrives at the destination. But the destination does have a route back to your MacBook, so the reply to the ping never comes. Stuff on his LAN has to be told that the pfSense router exists on that LAN and is the way (back) to the VPN link and MacBook client.
-
I guess I need a route like this:
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.10.254
Can you confirm this?
Greetz
Mirco -
Yes, assuming 192.168.10.254 is the WRAP pfSense at your friend's house.
Obviously the particular route command will vary depending on the OS of the client or router that you need to modify.Get your friend to run pfSense as his front-end firewall, then you can make a site-to-site VPN between the 2 houses and a "dial-in" road warrior server to either/both houses, pass or block whatever traffic you want,… All much easier if the whole world standardises on pfSense ;)
-
Thx, I'll give it a shot later today…
I think he won't release his "Intranator" 800€ hardware box! But yeah that would definitly make things much easier...
Greetz
Mircsicz