Route help please
-
You should just dump that and run openvpn directly out of pfsense. Assuming pfsense is your router/firewall its less problematic to have it on the router.
This is an enterprise env. I am doing this as a small approach for my self to gain access to the management network 27x7. It is never a solution to tell somebody "dump that" and replace it "with this". Don't get me wrong I am glad that you reply and try to help but your suggestion was very poor. Eventually I will get a VPN appliance installed at my premises… I just need a quick solution in the meantime.
Again Thanks for the help kejianshi.
-
You don't understand - I have both. Before my system was similar to yours. I used to run openvpn on a separate system inside the LAN but it was less problems to run it on pfsense alone. Without knowing that moving your vpn to pfsense isn't something you can do, I'd assume I'm giving you good advice. NOW that I know you have to keep it seperate, apparently:
How many people will be using your vpn? Just you are many?
-
You don't understand - I have both. Before my system was similar to yours. I used to run openvpn on a separate system inside the LAN but it was less problems to run it on pfsense alone. Without knowing that moving your vpn to pfsense isn't something you can do, I'd assume I'm giving you good advice. NOW that I know you have to keep it seperate, apparently:
How many people will be using your vpn? Just you are many?
kejianshi,
Ahhh! I see. Ok I am now at the same page you are.
What they did is stand up a vpn server with small satellite offices connecting to it. The satellite servers connect to the server and they can communicate with everybody on the LAN and others just fine.
It's the same approach. Centos servers with openvpn as clients. Also we have ccd files defining their networks for openvpn.There is about 10 Offices connected to it. And now I am trying to connect my pfsense to it as well.
I might discard the idea all together given the complicated aspect of it. Though it would be nice to use this approach. I dislike the idea of a vpn appliance if I have a pfsense box :)
Your thoughts?
-
If its just you, and you can install as VM install your LAN, I'd suggest you download ubuntu from the web and install openvpnAS server inside of it. I like the OpenvpnAS server for anyone who just needs to provide a "door in" for himself or maybe one other because it has a web management GUI that is very simple to work with. It you expose that gui to the web, you can manage it remotely, download a client config anywhere on any machine. It very sweet for 2 people for free. More than 2 licenses will cost you, but first 2 accounts are free, full featured and never expire.
Its quite simple to add routes etc also. I'd prefer to do it from pfsense directly, but this is my next best recommendation.
-
If its just you, and you can install as VM install your LAN, I'd suggest you download ubuntu from the web and install openvpnAS server inside of it. I like the OpenvpnAS server for anyone who just needs to provide a "door in" for himself or maybe one other because it has a web management GUI that is very simple to work with. It you expose that gui to the web, you can manage it remotely, download a client config anywhere on any machine. It very sweet for 2 people for free. More than 2 licenses will cost you, but first 2 accounts are free, full featured and never expire.
Its quite simple to add routes etc also. I'd prefer to do it from pfsense directly, but this is my next best recommendation.
Thank you kenjianshi.
I will look in to it!
-
The way they do it now is fine, but doing it all from within pfsense is less overhead system-wise. Less machines to take care of. Also, the routes are more likely to work. Less NAT. Its also free for as many users as you like.
But again, if doing it from within pfsense isn't something you can do, Openvpn AS is also great. Costs for more than 2 licenses though.
-
Incase it gets confusing trying to figure out exactly where to download from:
http://openvpn.net/index.php/access-server/download-openvpn-as-sw.html
Pick an OS, install the OS of your liking (I like ubuntu for something like this but mine is in Centos for other reasons).
Then download and install the correct package.
Forward 1 port for access to client web, 1 more for admin access and one other for the vpn its self to this machine.
All done - enjoy.
Later, try to get everyone on pfsense - Its really the best way long term.
-
For those interested.
All I had to do was add a line to my iptables:
-A POSTROUTING -s XXX.XXX.0.0/24 -d XXX.XXX.0.0/16 -j MASQUERADE
Than add a route to my openvpn conf file for my subnet behind my firewall.
and than add a ccd.
Done.
-
Guess you didn't like the OpenvpnAS idea?
I'm glad its working well for you.
-
Guess you didn't like the OpenvpnAS idea?
I'm glad its working well for you.
kejianshi,
Thanks for recommendation. I will try it eventually. I just couldn't see my self changing existing infrastructure.
Again thank you!