Site to Site VPN behind Firewall
-
I have a corporate site with a PFSense router and a static IP.
I have quite a few users who are always on the go, but need direct access to the internal network.Here are the needs that I have for an OpenVPN configuration:
Each of these users will have a dynamic IP address
Sometimes these clients will be behind another firewall, such as hotels, coffee shops, a personal hotspot on their cell phone, etc...
I need each of these clients to also have their own subnet (i.e., /24).
Each of these clients must have access to the network at the corporate site
The corporate site must have access to route to each of the devices (as they would allow) on the clients subnet
I also want them to be able to have all traffic route to this OpenVPN connection
I can't control in most cases the NAT of the Firewall that the client is on, as it is usually a hotel, coffee shop or something else.
The client must automatically use DNS from the Corporate site.
I did this using SonicWall in the past, and I assume this is also possible on OpenVPN. The problem with SonicWall was the devices were all too big for travel, and I had a need to switch over to PFSense. I have purchased a few devices that are small and capable to perform this, but willing to purchase other devices as needed.If it is recommended to use IPSec instead I can.
To summarize my question, what type of configuration do I use to PFSense to achieve what I am looking to do here for site to site behind an existing firewall?link text
-
Hello ated19,
This is not specifically site to site VPN connection, what you have described is more a "road warrior" configuration.
The configuration you are looking for is very much easy to do with pfsense.
Things to configure (assuming IPv4):
- Redirect IPv4 Gateway -> Check Force all client-generated IPv4 traffic through the tunnel
- IPv4 Local Networks -> Networks that need access behind the firewall (ie non-routeable IPs) although I'm not sure if this is needed if all traffic is going through the VPN.
- Topology -> Net30
- Do not use common non-routable IPs for your OpenVPN Server (ie.. 192.168.0.1 or the likes). As this will give issues when people are connecting in coffee shops or other areas where wifi is available. Use a IP address that is not common.
On number 3 above (Net30) not sure why you would need this, if your concern is inter network communications between OpenVPN users, the check box Inter-client communications should be unchecked. This will prevent OpenVPN users from seeing each other on their VPN connection.
Then setup NAT and WAN for the new OpenVPN Server.
Clients would have to download OpenVPN (Windows) or Viscosity (MacOS) and you will have to send them the profile files so they can connect. There is also a package that will automatically generate the profile files for you within pfSense (openvpn-client-export).
Regarding all traffic sent through the tunnel.
I prefer to have a split tunnel, in that only networks that they need access to are routed through the VPN tunnel and all other access is through the local wifi.RHLinux