Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN - client machine to server-lockdown

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 2
      2chemlud Banned
      last edited by

      Dunno how this "client-specific override" thing is done to hand out specific IPs to each client, the rest is absolutely no rocket science and will teach you much for the future. I would start on my own and look for help if needed… ;-)

      Client-specific overrides:

      https://doc.pfsense.org/index.php/OpenVPN_multi_purpose_single_server#OpenVPN_Client_specific_overrides

      ...should work! ;-)

      1 Reply Last reply Reply Quote 0
      • F
        fireix
        last edited by

        Just to test, I manged to get VPN server up and running and I have configured OpenVPN client.

        This is a little beside my original question, I just want to see if I can connect to an entire local subnet for fun. I have a local network that is in this range: 192.168.100.100-140 (web-cameras and differen stuff like that).

        When I connect with OpenVPN, my PC gets this IP-assigned:

        My Windows-PC gets this additional details (from ipconfig):

        IPv4 Address. . . . . . . . . . . : 192.168.100.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

        Shouldn't this be enough to be able to access gear by going to 192.168.100.100 for instance? Or is this where I need to "push some routes" somehow?
        The default gw isn't assigned and I guess that is correct. The 192.168.100.0/24 should also cover ips from .1 to .254.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          @2chemlud:

          Dunno how this "client-specific override" thing is done to hand out specific IPs to each client

          You use ifconfig-push to the client using the CSO. The exact syntax depends on the tunnel network and topology subnet or net30. An advanced search on this subforum for ifconfig ought to bear some fruit.
          @fireix:

          My Windows-PC gets this additional details (from ipconfig):

          IPv4 Address. . . . . . . . . . . : 192.168.100.2
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
          Default Gateway . . . . . . . . . :

          Shouldn't this be enough to be able to access gear by going to 192.168.100.100 for instance? Or is this where I need to "push some routes" somehow?

          Networks defined in the "Local Networks" section of the server are automatically pushed to all clients. What this means is the local client routes traffic for those networks through the OpenVPN connection instead of out to the internet. Whether or not the client has a DEFAULT route through the VPN tunnel is most-easily controlled by the Redirect Gateway checkbox in the server. If you want different clients to have different behavior for this you will likely want to uncheck this for the global setting and push the gateway commands to specific clients using CSOs for those who should have it.

          The default gw isn't assigned and I guess that is correct. The 192.168.100.0/24 should also cover ips from .1 to .254.

          No, your tunnel network should be a different, routed network for a tun mode OpenVPN remote access server. It is possible to create a tap mode "bridged" same-subnet network but it is not a recommended configuration.

          Try:

          • Changing your tunnel network to 192.168.101.0/24 and your local network in the OpenVPN server to 192.168.100.0/24

          • Making sure your OpenVPN tab has a rule that passes traffic from 192.168.101.0/24 to 192.168.100.0/24 (or any to any or whatever).

          • If it still doesn't work make sure the local server you are trying to ping allows traffic from foreign networks. People are constantly mistaking windows firewall doing what it's been told to do for VPN (and port forward) problems.

          OpenVPN is not like IPsec with traffic selectors "hidden" in the kernel somewhere. Everything is visible in a routing table. route statements add routes to the operating sending traffic into the OpenVPN process (visible in the OS routing table). iroutes inside OpenVPN determine which tunnel gets what traffic after the OS has routed traffic into OpenVPN (visible in OpenVPN's routing table). You can generally think of an OpenVPN instance as a virtual router.

          Lots of info here: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing

          Interesting. Didn't know about the ifconfig-pool directive. That solves a significant problem.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • F
            fireix
            last edited by

            From the log, it looks like traffic is passing on (I have allow any-any), but it isn't pingable or browseable (just waiting). This is just a web-interface for a switch, but same goes for a camera and a management-computer.

            Accept May 22 19:14:52 ovpns1 192.168.101.2:54009 192.168.100.111:80 TCP:S

            Sun May 22 19:08:39 2016 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
            Sun May 22 19:08:40 2016 [AAA] Peer Connection Initiated with [AF_INET]XXXX:1194
            Sun May 22 19:08:42 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
            Sun May 22 19:08:42 2016 open_tun, tt->ipv6=0
            Sun May 22 19:08:42 2016 TAP-WIN32 device [Ethernet 2] opened: \.\Global{55937E67-29D2-4CFD-9724-3B2ADCE61312}.tap
            Sun May 22 19:08:42 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.101.0/192.168.101.2/255.255.255.0 [SUCCEEDED]
            Sun May 22 19:08:42 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.101.2/255.255.255.0 on interface {55937E67-29D2-4CFD-9724-3B2ADCE61312} [DHCP-serv: 192.168.101.254, lease-time: 31536000]
            Sun May 22 19:08:42 2016 Successful ARP Flush on interface [8] {55937E67-29D2-4CFD-9724-3B2ADCE61312}
            Sun May 22 19:08:47 2016 Initialization Sequence Completed

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Are the default gateways in these devices set to pfSense?

              Rules on the OpenVPN Tab/Assigned interface tab govern connections FROM the remote devices INTO your pfSense node.

              Connections from LAN to VPN devices are governed on the LAN tab.

              This is probably routing, not OpenVPN.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • F
                fireix
                last edited by

                "Are the default gateways in these devices set to pfSense?"

                No, they have a internal dhcp server as their gateway.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Well then that's where they are going to send the traffic for networks on other that their subnet (like 192.168.101.0/24).

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • F
                    fireix
                    last edited by

                    Is there a way to connect to the network (192.168.100.0/24) only for the connection or something without having to set another gw on each device?

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      You can outbound NAT out the pfSense LAN interface so all connections appear to come from 192.168.100.1.

                      You would lose the ability to determine which VPN client was accessing the 192.168.100.X device though as all connections would appear to come from from the same IP address.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • F
                        fireix
                        last edited by

                        I assume NAT is not possible, because I run in transparent mode/bridged?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.