Routing OpenVPN to LAN with only LAN port and no WAN port?
-
Hello,
Wasn't sure which of the subforums this would fit in best so went with the general forum ;)
I'm running pfsense in a VM for testing and I want run a vpn on it that will allow me to access various devices on my lan. Because I'm running pfsense in a VM on a box that is not between my router and devices and I need to have everything on the same subnet I'm having some problems with routing traffic to the lan.
Configuration
Router/gateway: 192.168.1.1
VM host: 192.168.1.5
Pfsense VM: 192.168.1.10
Other devices: 192.168.1.20 - 30I've got pfsense set up with only one lan port with the above IP and no wan port. With this configuration I can ping the pfsense VM from my lan and pfsense can access the internet.
I've configured OpenVPN on the pfsense VM and I can successfully connect from my phone, ping and access the pfsense VM but I cannot ping any other devices on my LAN.
Running wireshark I can see ping requests etc coming from my phone through the VPN tunnel (device ip 10.0.8.6) directed to the ip of the lan devices but I don't see any replies.
I suppose this makes sense because my lan devices have the router, 192.168.1.1, as their gateway and not the pfsense VM.
Is it possible to solve this? Should all OpenVPN traffic entering the lan be made to look like its originating from the pfsense VM rather than the OpenVPN tunnel so that devices reply to the pfsense VM which in turn will route it back to the VPN tunnel?
If I configure a WAN interface on 192.168.1.xxx and the LAN on 192.168.10.xxx and set my host to connected through that on the loopback adapter (so its on the 192.168.10.xxx subnet) I am able to ping lan devices through the VPN tunnel so I know OpenVPN and the Firewall rules are OK but that the routing is failing.
At least that is what I think is happening :P
-
The destination device on LAN needs a route to the OpenVPN tunnel network with a destination of the pfSense node's LAN address for it to work like that.
Is it possible to solve this? Should all OpenVPN traffic entering the lan be made to look like its originating from the pfsense VM rather than the OpenVPN tunnel so that devices reply to the pfsense VM which in turn will route it back to the VPN tunnel?
ding ding ding
If you do not need to identify the source address of the OpenVPN clients on the destination hosts, you can just outbound NAT on LAN for the tunnel network sources. Just create a hybrid outbound NAT rule on LAN using the tunnel network as the source network and LAN address as the NAT address.
If you do need to identify the source addresses you will have to get more creative using multiple VIPs, Multiple outbound NAT rules, or perhaps 1:1 NAT.
-
Thanks. I think I get what you are saying but…
The destination device on LAN needs a route to the OpenVPN tunnel network with a destination of the pfSense node's LAN address for it to work like that.
This means that one e.g. a Windows host I'd add route add 10.0.8.0 mask 255.255.255.0 192.168.1.5. Can't test it right now but that makes sense. But this wouldn't be necessary if I'd get NAT working?
If you do not need to identify the source address of the OpenVPN clients on the destination hosts, you can just outbound NAT on LAN for the tunnel network sources. Just create a hybrid outbound NAT rule on LAN using the tunnel network as the source network and LAN address as the NAT address.
I don't think so? An example of what I want to do is this: Run VNC server on the host, connect with my phone to the pfsense VM openvpn and then connect to the host using VNC or access some web services running on my host from my phone going through the VPN.
PS one thing I forgot to mention is that while I can ping and access the pfsense box I cannot browse the internet through the VPN. I understand why I can't access the LAN but shouldn't browsing work since pfsense is doing all the routing (openvpn -> router -> back to pfsense -> openvpn)? Though in the trace it looked like all the requests were coming from the vpn rather than pfsense so maybe this is a nat issue as well.
I'll try adding routes on my host and configure nat in pfsense.
-
Yes. That is the kind of route you would need. If it's only the one host it's not so bad.
If you NAT, the traffic from the host back to the VPN client will be same-subnet so the route is not necessary.
If you are just trying to do this for access into your own network then you know who is connecting and NAT from the LAN interface address would be fine.
-
I'm having some problems getting it to work.
Setting a static route on a Linux or Windows VM doesn't work. Setting the route on my host works but when doing a traceroute it goes: 192.168.1.5 -> 192.168.1.1 -> timeouts.
The default gateway on pfsense is 192.168.1.1 so it looks like pfsense is routing it back to the router. I can't get this to work with a route or firewall rule.
I'm also not entirely sure what to do under the NAT settings. I find the language used a little bit unclear.
Firewall -> NAT -> OUTBOUND -> Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below) -> Save.
Interface: LAN
Source 10.0.8.0/24
source port: *
destination: 192.168.1.0/24
destination port: *
NAT address: 192168.0/24
NAT port: *
Static: NOI tried different settings but no luck with any of them. Any hints?
-
NAT address: 192168.0/24
Try NAT address LAN address
-
I don't have that option. Under source I can only select any, firewall (self) or network. Under destination there is only any or network.
I've attached a screenshot.
-
I don't know why but after clicking around some more the hybrid outbound nat automatically created the correct rules. Now there is a source 10.0.8.0/24 destination lan address entry and I'm able to access my lan :)
Going to set up a fresh VM tonight on my htpc if I got time.
Thanks.