PfSense as an OpenVPN client - LAN access to the server
-
Hello all,
I've spent the past day and about 5 different guides I've found here and elsewhere getting my pfSense router to connect to the OpenVPN server [a private VPS] as a client and then routing certain client traffic over that tunnel; that's all working fine now, which I am really excited about.
What I would like to be able to do is provide LAN access [10.0.1.0/24] to my VPS using my OpenVPN tunnel [10.30.0.0/24]. I am using "topology subnet" in my OpenVPN server configuration so that the server will be reachable at 10.30.0.1; I have my pfSense router using a static IP address [10.30.0.250] which is being pushed using a CSC entry on the server. Ultimately, I would like to be able to SSH [for example] into my VPS [10.30.0.1] and ping my private LAN clients [10.0.1.10,12,14, etc.] over the VPN tunnel.
Is this even possible? I have tried various route/iroute statements but have been unsuccessful at getting traffic flowing into my network [the traffic flows through the VPS fine from my LAN]. Any assistance would be greatly appreciated - I am also happy to provide any configuration files, if necessary. Thanks in advance!
-
Update: I found that I am actually unable to ping my pfSense router [10.30.0.250] from the OpenVPN server [using an SSH connection to the server]. I think the issue may have something to do with a missing firewall rule, but again, I can't find the correct combination of rules to allow traffic to flow back over the VPN.
Again, any help with this would be greatly appreciated.
-
You need to do a few things:
-
Push a route for the VPS network to your clients
-
If you have control of the remote end, you need to add a return route to your tunnel network on the remote end
-
If you do not have control of the remote end, when traffic is sourced from your tunnel network and destined to your VPS… it will need to be NAT'd to the OpenVPN interface that is facing your VPS.
-
-
You need to do a few things:
-
Push a route for the VPS network to your clients
-
If you have control of the remote end, you need to add a return route to your tunnel network on the remote end
-
If you do not have control of the remote end, when traffic is sourced from your tunnel network and destined to your VPS… it will need to be NAT'd to the OpenVPN interface that is facing your VPS.
Thank you very much for your reply;
1. My VPS doesn't really have a local network associated with it - I am basically just using the public, static IP address and nothing more. There aren't any machines behind the VPS that I want to communicate with, I just want the VPS to be able to communicate with the LAN behind my pfSense router [10.0.1.0/24] through the OpenVPN tunnel [10.30.0.0/24].
2. I currently have "route 10.0.1.0 255.255.255.0" in my OpenVPN server configuration and "iroute 10.0.1.0 255.255.255.0" in the CSC file for my pfSense router. I would image that the OpenVPN server on my VPS would be pulling the proper route from the pfSense router using these two statements. I do have root access to the VPS, but I was under the impression that the route/iroute statements added the return route for the sever. However, when I run "netstat -nr" on the VPS, I do not see a route back to my LAN network [10.0.1.0/24] through the OpenVPN tunnel. This is part of what leads me to believe that either I am missing some kind of configuration setting in pfSense or there's a firewall rule blocking traffic destined for the 10.0.1.0/24 network through the 10.30.0.0/24 network.
I do have a rule in my pfSense router that allows all traffic to/from anything on the interface I've created for the OpenVPN tunnel to my VPS. I just don't know what I'm doing wrong. Thanks again for any light you may be able to shine on this!
-
-
Update: I've noticed that if I enter a gateway address in the route/iroute definitions, i.e. "route 10.0.1.0 255.255.255.0 10.30.0.1"/"iroute 10.0.1.0 255.255.255.0 10.30.0.1", I can get the LAN network to show in the routing table on my VPS. However, I am still unable to ping any of the machines behind the pfSense router.
Also, if I use a different topology definition, i.e. net30, the route is automatically added to the VPS' routing table without having the specify a gateway address in the route/iroute statements; again, I still cannot communicate with the machines on the 10.0.1.0/24 network from the VPS.
-
Can you post a quick network map with ip's listed, so I can visualize what you're trying to do? I believe I misread your OP, so instead of me making more assumptions… it'd be nice to have a network map to look at.
-
Can you post a quick network map with ip's listed, so I can visualize what you're trying to do? I believe I misread your OP, so instead of me making more assumptions… it'd be nice to have a network map to look at.
I would be happy to post a diagram; I'll put one together tomorrow morning and post it. Thanks!
-
As promised, here's a basic layout of my network [see attached].
Here's my OpenVPN server configuration:
# State the type of OpenVPN instance - Server mode server tls-server # Server listening port and protocol port 10001 proto udp # Use a TUN adapter dev tun # Set the OpenVPN subnet - 10.30.0.2-199 topology subnet push "topology subnet" ifconfig 10.30.0.1 255.255.255.0 push "route-gateway 10.30.0.1" ifconfig-pool 10.30.0.2 10.30.0.199 255.255.255.0 # Server certificates ca ca.crt cert server.crt key server.key dh dh1024.pem # Use Blowfish and compress traffic cipher BF-CBC comp-lzo # Allow clients to communicate with other clients client-to-client route 10.0.1.0 255.255.255.0 # Used for setting static IP addresses on connected clients client-config-dir /etc/openvpn/static_clients # OpenVPN server logging settings keepalive 10 120 status openvpn-sitetosite-status.log verb 3
Here's my pfSense CSC file:
ifconfig-push 10.30.0.250 255.255.255.0 iroute 10.0.1.0 255.255.255.0
My pfSense settings are pretty barren, I don't have any strange options set there; I can post a screen of that configuration too, if necessary. Thanks for the help!
-
I do have a rule in my pfSense router that allows all traffic to/from anything on the interface I've created for the OpenVPN tunnel to my VPS.
Do you have the same "Allow any-any" rule on the OpenVPN tab of the pfSense server?
-
Do you have the same "Allow any-any" rule on the OpenVPN tab of the pfSense server?
Yes, I do.
I've pretty much determined that what I'm trying to accomplish isn't possible. Now, I've noticed that if I connect to my VPS using SSH on the OpenVPN address [10.30.0.1], the SSH tunnel is originating from the OpenVPN address of my pfSense router [10.30.0.250] - if I could open ports/port forward on the pfSense OpenVPN address/interface, I could accomplish what I want [access to LAN resources on the OpenVPN server] but I haven't been successful at this either.