[SOLVED] How to use VIP's for OpenVPN
-
Hi
I have a pfSense box, where i am running a couple of OpenVPN servers. I need one of the OpenVPN servers to use one of my Virtual IP addresses, but im struggling to make it work.
My Virtual IP's are setup as IP aliases.-
In the Openvpn server i have set the interface to the VIP.
-
In outbound nat i have changed the translation adresse on the to auto created rules to the VIP.
-
I have made a firewall rule where i allow traffic on the openvpn port (Interface is set to WAN and destination adresse is set to single host and VIP).
If i change use tne WAN adresse the VPN server works fine.
Best regards
Esben -
-
Why do you need to use a VIP? A VPN is an interface that would get it's own IP address.
-
@jknott said in How to use VIP's for OpenVPN:
Why do you need to use a VIP? A VPN is an interface that would get it's own IP address.
We have a department in china and the chineese ISP's regularly block ip's with VPN traffic. So we need to cycle the ip addresses otherwise our employees can't connect to the HQ via openvpn.
-
Did you know you can hide OpenVPN behind some HTTPS Webserver? This is limited to TCP OpenVPN tho.
https://www.netgate.com/docs/pfsense/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html-Rico
-
@Rico that is not really hiding the vpn traffic.. That is just allowing inbound traffic to say 443 tcp to work for both vpn and webserver..
Hiding the vpn traffic would be like putting the vpn traffic inside a stunnel.
I have not done any research into the subject - but the use of tls-crypt that became available with openvpn 2.4 might also make it a "bit" harder for identification that its vpn traffic.. Maybe...
-
...in combination with tls-crypt ?
-Rico
-
tls-crypt is set when you set tls to both encryption and auth.
-
Yes I know, my posting was before I saw you edited yours.
-Rico
-
ah... makes more sense now ;)
-
@glacier said in How to use VIP's for OpenVPN:
We have a department in china and the chineese ISP's regularly block ip's with VPN traffic. So we need to cycle the ip addresses otherwise our employees can't connect to the HQ via openvpn.
Do they block by IP or protocol? It seems to me protocol would be more likely.
-
They are blocking/ban by null routing IPs as well.
-Rico
-
@rico said in How to use VIP's for OpenVPN:
They are blocking/ban by null routing IPs as well.
Exactly. We migth be able to hide it better, however eventually the ip will get blocked, which is why we would like to use VIP's to cycle through the bans.
-
Well you don't have unlimited VIPs to cycle them over and over again right? So in the long run it would be better to hide the VPN traffic. I think with the 443 Port Share trick and tls-crypt it could work to get around this.
Anyway, I will try to answer your question. :-) Bind your OpenVPN to localhost, then use a Port Forward with your VIP to localhost.-Rico
-
Port share won't hide the traffic and tls-crypt maybe for a while, eventually they will find out how to identify it.
stunnel is what I would do... -
I don't see how the share thing would hide anything - other than if you have normal https traffic going to that dest IP from the IP in china.. That might confuse them seeing normal web and vpn going to the same IP? All depends on how exactly they identify it as vpn traffic.
-
Thanks alot for all of the answers.
I'll try out the portforwarding thing, aswell as tls-crypt and stunnel.@rico said in How to use VIP's for OpenVPN:
Well you don't have unlimited VIPs to cycle them over and over again right?
No, but in the past the banned ip's have been unbanned after a month or so.
Best Regards
Esben
