PF Sense as a Firewall with OpenVPN (NEED HELP!!!)
-
So, I want to explain my scenario quick before asking.
I have 5 Sites, For the sake of this lets call them Site A (main servers, web servers, etc) Site B, C, D and E (this are mainly remote locations)
I have configured PFSense on Site A as a Firewall. (No routing, no NAT). This site has also a OpenVPN Server Configured. (P2P PKI, TUN)
Site B - E have PF Sense as routers with OpenVPN Clients.
Lastly, I have a block of public ip addresses that I will use in Site A, which is mainly where all the main servers are. Each server will have their own public ip address.
What Im trying to do is:
Have Site B throught E connect to Site A via OpenVPN. (Site A will only accept connections on the VPN port) Once they all connected to the VPN on Site A, then they can see the servers behind the firewall. (Some services will be blocked for some users, but thats not the issue right now)
Sites B - E cannot see each other. Each of the sites can only access Site A
VPN is just for accessing the servers. (Not to be used to hide public ip and browse the internet with it)
What I have accomplished so far.
All sites are connected via OpenVPN, Tunnel is up.
I setup rules on each site to allow only traffic destined to site A only via VPN. (Regular browsing like Google.com will not use the VPN as a gateway)
What I'm missing
Once the connection is up, Packets make it to the firewall in Site A, But I can't see any of the servers behind the firewall.
So, Is this posible? Or am I trying something that can't be done.
Thanks in advance.
-
Might be better asked in the OpenVPN forum, but a simple quick check:
On each pfsense box (all six of them) do you have a firewall rule for the OpenVPN interface that allows any-any?
For PKI, did you setup appropriate entries in Client Specific Options on the OpenVPN server to let ir know where to route traffic for each of Site B-E?
Are the LAN's on the B-E sites (as well as the server) using non-overlapping subnets?
I would suggest moving this over to the OpenVPN board…
-
I did check on the OpenVPN site to see how can I do this, but everything I found was configurations for the vpn on its own. (not for pfsense) I'll double check just in case and I'll also take this question over there.
Still, let's answer those questions
1. Site B-E has an OpenVPN interface and yes they all have a any-any rule. Site A doesn't have an interface for OpenVPN server, so maybe here is where I'm failing.
2. I haven't used the "Client Specific overrides" option on the OpenVPN server. Wasn't sure what this does but I'm assuming now is for pushing routes to a specific clients (please correct me if im wrong). And if it is, i don't think I have to use this, since all sites need the same access.
3. Now that you mention it, yeah, some private Ip addresses are overlapping So i have to reconfigure all sites local ip address. But at the moment of writing, I don't think this is a problem yet since Im only using Site B to test connections. Site C-E aren't connected yet.
-
Sorry, I didn't mean the OpenVPN site, but the specific section of this forum for OpenVPN issues :https://forum.pfsense.org/index.php?board=39.0
1. Site B-E has an OpenVPN interface and yes they all have a any-any rule. Site A doesn't have an interface for OpenVPN server, so maybe here is where I'm failing.
I don't see how Site B can connect via OpenVPN to Site A unless Site A has an OpenVPN interface?
How did you build these connections, with wizard or manually?2. I haven't used the "Client Specific overrides" option on the OpenVPN server. Wasn't sure what this does but I'm assuming now is for pushing routes to a specific clients (please correct me if im wrong). And if it is, i don't think I have to use this, since all sites need the same access.
Yes, the general technique is to specify all the possible external networks the OpenVPN server will pass to various clients (the "Remote Networks" in the server's config).
Then you specify which of that set will be routed to each client in the client's specific CSO. Obviously it works best if there's no possible overlap, thus my question 3.I would suggest you get one client working properly, then add a second and the third and fourth should be much easier.
-
Quick update: I manage to do what I was looking for using OpenVPN server as a gateway for the tunnels. and doing NAT with pfsense public IP address. but still have some unanswered questions.
I don't see how Site B can connect via OpenVPN to Site A unless Site A has an OpenVPN interface?How did you build these connections, with wizard or manually?
Manually. Apparently pf sense does create the tunnel without the interface. Obviously there's no traffic without it, but since I saw the status of the tunnel up, I mistakenly thought that was enough. So all sites has interface and there's traffic in it.
2. Yes, the general technique is to specify all the possible external networks the OpenVPN server will pass to various clients (the "Remote Networks" in the server's config).
Then you specify which of that set will be routed to each client in the client's specific CSO. Obviously it works best if there's no possible overlap, thus my question 3.This one I still have some doubts. For example. Stie B-D are regular clients. they only need access to certain services to perform their duties. So I believe is ok that they all share the same routes and rules for them. Now since there's just one site where the admins will be (Site E), I created another vpn server on site A as remote access since we could be at the office, or working remotely, without all the restrictions needed for the rest of the sites.
One thing its annoying me a little is the following:
If Site B-D share the same private ip block (ie.10.10.10.0/24) I could access pfsense webgui on Site A using its tunnel ip address (ie. 10.10.10.1). Obviously this can't happen, so I just restricted with a rule, and they can't see each other cause im using net30 topology. But from Site E (the admins) I have any-any rule at the tunnel's interface and Im not able to ping it using site E tunnel's ip. (10.10.20.1) I still can access all site's pfsense webgui from the admin site via lan ip or the other tunnel ip, but not the actual tunnel ip where im connected to. And I can see the servers behind it. this is not too much of a concern for me. But at the same time, I want to understand why I can't ping the tunnel's gateway, even thought the interface has any-any rule.