VPN Relay on same subnet?
-
Hi all, I have searched myself into a state of confusion. I think the information is here but I am burnt out and words have lost meaning :) In reality, I just don't think I am using the correct search strings.
I have one static IP that is handled by an ASA 5505 (at some point pfsense will replace this but, I need to see it running for awhile and get familiar), from the ISP.
I have a machine that must have all traffic move via VPN and no bleeds of data to the public network. What I have envisioned is, I set up pfsense (with openvpn) as that machines gateway and then pfsense passes the encrypted traffic through the ASA like any other traffic... that should be it, right? I set up two nics (pfsense is in a esxi VM) but, I can't seem to have them IP'd on the same subnet.
Well, I have built the server up and I just can't connect the dots. The VPN interface should be its own interface... right? Do I have to have two nics to do this? Do I have to have a WAN nic to do this? I'm going to flatten this build and start again... but, I need to have more info. I guess, ideally, I'd like to use one nic as the "LAN" nic and the virtual "VPN" interface just repackages stuff and sends it back out that LAN interface. Clear as mud? :)
I don't want or expect anyone to hold my hand but, I think I am looking at this the wrong way and could use a shove in the right direction. Thanks!
-
@selbs said in VPN Relay on same subnet?:
What I have envisioned is, I set up pfsense (with openvpn) as that machines gateway and then pfsense passes the encrypted traffic through the ASA like any other traffic... that should be it, right?
That's exactly the point. pfSense has to be the only one default gateway on that machine.
However, consider that this means, that the machine is only reachable from within your LAN or by adding manual static routes to your computers and to that machine as well.On pfSense the ASA has to be set as default gateway.
@selbs said in VPN Relay on same subnet?:
I set up two nics (pfsense is in a esxi VM) but, I can't seem to have them IP'd on the same subnet.
Why two NICs? Since you're going to connect it to only one network, one interface will be sufficient.
@selbs said in VPN Relay on same subnet?:
The VPN interface should be its own interface... right?
It's a virtual interface. However, if you want to use it as gateway you should assing an interface to the OpenVPN instance in Interfaces > Assignments and enable it.
Which interface you use on pfSense doesn't matter, as long as you configure the rules to allow the needed access.
Consider that on the WAN interface private networks are blocked by default (a check box in the interface settings), so you will have to uncheck this, while on LAN any incoming traffic is allowed by a predefined rule. -
Thank you! That definitely pushes me in the right direction. I'm going to rebuild today!