Pfsense as openvpn client
-
I just replaced my home router (openwrt based) to pfsense, I have managed to configure it successfully, however I ran into some minor issues with openvpn. I can managed it to connect to another openvpn server (which also running on pfsense in my office). I can ping from pfsense box at home to pfsense box in the office thru VPN, however the client behind my home pfsense box cannot ping to the private IP located in the pfsense server.
On openwrt router I need to enable IP forwarding/masquerading to achieve this, and I have managed to sucessfully routed machines behind the openwrt box to machines behidn pfsense box in the office.
On the firewall tab I already create rule any to any in LAN and openvpn interface. What am I missing?
-
On openwrt router I need to enable IP forwarding/masquerading to achieve this
That is only necessary if one of the vpn endpoint is not the default gateway.
On pfSense that can be achieved by an outbound NAT rule. Hybrid or manual rule gen. must be activated.
-
That is only necessary if one of the vpn endpoint is not the default gateway.
On pfSense that can be achieved by an outbound NAT rule. Hybrid or manual rule gen. must be activated.
yes, I did configure the vpn server to not make the vpn as the default gateway. Instead I push routes for the IP/networks I want to access thru VPN manually in the server configuration.
Can you guide me to the right direction? I tried to configure the outbound NAT rule but so far no luck.
here's my route on the pfsense
[2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -r Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.0.254 UGS bge0 10.0.2.0/24 10.0.102.1 UGS ovpnc1 10.0.4.0/24 10.0.102.1 UGS ovpnc1 10.0.7.0/24 10.0.102.1 UGS ovpnc1 10.0.102.0/24 10.0.102.1 UGS ovpnc1 10.0.102.1 link#11 UH ovpnc1 10.0.102.3 link#11 UHS lo0 10.232.0.4 192.168.0.254 UGHS bge0 50.subnet118-98-44 192.168.0.254 UGHS bge0 245.subnet125-160- 192.168.0.254 UGHS bge0 localhost link#3 UH lo0 192.168.0.0/24 link#1 U bge0 192.168.0.2 link#1 UHS lo0 192.168.5.0/24 link#7 U bge1.1 pfSense link#7 UHS lo0 192.168.6.0/24 link#9 U bge1.20 192.168.6.250 link#9 UHS lo0 192.168.8.0/24 link#10 U bge1.30 192.168.8.250 link#10 UHS lo0 192.168.88.0/24 link#8 U bge1.10 192.168.88.250 link#8 UHS lo0I can ping hosts behind the VPN server from the pfsense box
ping 10.0.2.2 PING 10.0.2.2 (10.0.2.2): 56 data bytes 64 bytes from 10.0.2.2: icmp_seq=0 ttl=63 time=7.426 ms 64 bytes from 10.0.2.2: icmp_seq=1 ttl=63 time=7.026 ms 64 bytes from 10.0.2.2: icmp_seq=2 ttl=63 time=6.526 ms 64 bytes from 10.0.2.2: icmp_seq=3 ttl=63 time=6.922 ms ^C --- 10.0.2.2 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 6.526/6.975/7.426/0.320 msbut not from the client behind the pfsense box…. I even cannot ping the openvpn interface from the LAN.
-
You misunderstood. The point is if the pfSense boxes are the default gateways in the LANs behind. On both sites.
IP packets to the remote network are routed to the default gateway, as long there is no special route set for it on the sending computer.If both boxes are the default gateways in their LAN networks there's no NAT rule needed. Just set the options "IPv4 Local Network/s" and "IPv4 Remote Network/s" correctly on both, server and client.
-
You misunderstood. The point is if the pfSense boxes are the default gateways in the LANs behind. On both sites.
IP packets to the remote network are routed to the default gateway, as long there is no special route set for it on the sending computer.If both boxes are the default gateways in their LAN networks there's no NAT rule needed. Just set the options "IPv4 Local Network/s" and "IPv4 Remote Network/s" correctly on both, server and client.
both pfsense boxes (the openvpn server and the client) is the default gateways of each local LAN. This is why I am very confused, the routes already displayed in the routing table of the pfsense openvpn client, and can ping from the pfsense box, but somehow the machine behind it cannot ping to VPN networks.
If I did traceroute to vpn subnet or even the vpn gateway IP form the LAN interface:
C:\Users\thasan>tracert 10.0.2.2 Tracing route to 10.0.2.2 over a maximum of 30 hops 1 <1 ms <1 ms 1 ms 192.168.8.254 (pfsense box) 2 1 ms 1 ms 1 ms 192.168.0.254 (ISP router, cannot turn off NAT/enable bridge mode) 3 1 ms 1 ms 1 ms x.x.x.x (public IP gateway of the ISP) 4 x.x.x.x reports: Destination host unreachable. Trace complete.It should not routed to the WAN interface, right? I am pretty sure the problem is in the pfsense openvpn client side, as I did not change any configuration on the server side and openvpn client on openwrt router able to route the traffic just fine.
However, last night I tried to playing around with outbound NAT, manually creating openvpn interface, adding the openvpn gateway, and creating rules the firewalls (so traffic to destination on behind the pfsense server is routed thru openvpn interface), finally the client behind the pfsense box able to ping the openvpn server side networks.
Is this the correct way to do it? seems bit more complicated.
-
Of course, the packets should be routed to the vpn server.
However, the traceroute shows the packets are directed to 192.168.8.254 from the source device, while according to the routing table above 192.168.8.250 is the pfSense LAN IP.
???
What's the real LAN IP now? -
Of course, the packets should be routed to the vpn server.
However, the traceroute shows the packets are directed to 192.168.8.254 from the source device, while according to the routing table above 192.168.8.250 is the pfSense LAN IP.
???
What's the real LAN IP now?sorry for the confusion, I did change the pfsense LAN IP to *.254 from *.250 since I finally managed to get it working (albeit a bit complicated) so I can finally shut down my openwrt router. I have several VLAN set up in the pfsense (management interface, trusted, guest, iot) and all pfsense LAN :
my topology is something like this:
WAN pfsense home (192.168.0.2) ==> connected to the ISP router
few vlans in the 192.168.x.0/24 subnet (management, trusted, guest, iot)
all client on the VLAN interface can browse the internet fine and all interface currently have any to any except for the IOT
WAN pfsense office (pubic IP)
and also has few VLANs, in the 10.0.x.0/24 subnet
subnet for openvpn interface is in 10.0.102.0/24
I managed to get it work after I followed https://forum.pfsense.org/index.php?topic=29944.0 and modified according to my needs so only routes to VPN tunnel based on the destination IP/network and working good so far :) Not sure this is the correct way to do it but it's working. More configuration needed (usually only configure the client config file in the openvpn server), now I need to also configure few firewall rules for in the openvpn client end (in addition to configure the outbound NAT)
The odd thing is, if I traceroute from office lan side to internal network it does pass thru openvpn lan interface and I dont need to configure anything on the firewall openvpn server side.
C:\Users\thasan>tracert 192.168.5.201 Tracing route to 192.168.5.201 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.0.7.254 2 6 ms 6 ms 11 ms 10.0.102.3 3 12 ms 16 ms 10 ms 192.168.5.201whereas if i traceroute from the other side it ommits the pfsense LAN IP and goes directly to the openvpn interface
traceroute 10.0.7.10 traceroute to 10.0.7.10 (10.0.7.10), 30 hops max, 38 byte packets 1 10.0.102.1 (10.0.102.1) 7.177 ms 5.878 ms 6.333 ms 2 10.0.7.10 (10.0.7.10) 6.048 ms * 6.322 msI am happy now :), but just wondering is this the correct way to do it