Routing traffic from RAS through site-to-site?
-
Hey all,
pfsense noob here. Tried searching a bit and wasn't able to locate an issue that (to me) seemed the same as this although I'm sure it's been brought up. Here's what's going on:
Client of mine has 2 sites both on pfsense 2.2.4
They have a site-to-site tunnel using openvpn and they also user remote access through openvpn using ssl/tls+userauth with a RADIUS backend. Both of these service, independently, work.When directly on one of the networks (not connected through RAS) I can traverse the site-to-site tunnel from both locations and access network resources
When connecting to a site remotely via VPN I can access all resources at that siteI can not however, remotely connect to either site and traverse the site-to-site once remotely connected through the vpn.
I'm sure this is probably a simple route or potentially firewall rule issue but I haven't been able to figure it out. All help is much appreciated, will post whatever logs/screen caps requested, thanks!
EDIT: I should add, I have run a packet capture, I can see the traffic being sent through the site-to-site tunnel, but nothing is picking up on the other side.
Joe
-
Add an outbound NAT rule for the OpenVPN interface at the side where packets enter the VPN, to translate the source address to the VPN server address when packets enter the VPN.
Go to Firewall: NAT: Outbound, if you have "Automatic outbound NAT rule generation" on select "Hybrid Outbound NAT rule generation" and klick save. Then add a rule like this:
Interface=OpenVPN, Source=any, Destination=any, Translation=Interface address -
Add an outbound NAT rule for the OpenVPN interface at the side where packets enter the VPN, to translate the source address to the VPN server address when packets enter the VPN.
Go to Firewall: NAT: Outbound, if you have "Automatic outbound NAT rule generation" on select "Hybrid Outbound NAT rule generation" and klick save. Then add a rule like this:
Interface=OpenVPN, Source=any, Destination=any, Translation=Interface addressThank you so much, that worked. I greatly appreciate it!
-
As you suspected, this is a routing issue that has been addressed before, but we know it can be hard to search for. The issue is the remote end has no idea how to route the return traffic because it appears local. So, while viragomann's solution works, you lose auditing capabilities because all incoming connections at the remote end appear as the server side interface address. This limitation is a potential risk because you lose granular control and are unable to isolate, identify and firewall incoming connections from RAS users across the tunnel. Your client will need to make a decision on whether losing that granular control on this particular tunnel is an acceptible risk.
As long as you have access to both ends, the cleaner solution is to make some minor adjustments to the openvpn config:
-
One the server side, add a push route for the remote LAN to your VPN clients
-
On the client side, add a return route for the RAS tunnel network
-