Accessing Client Side VLANs While Connected As Remote VPN Client
-
I maintain a server at my parents house. They have OpenVPN server running on their pfSense box which I remote into using my laptop. My laptop is on VLAN10 at my house.
Often I find myself needing to access my server to reference something I have already done. My server is on VLAN14 at my house. But I cannot access my server until I disconnect from their VPN.
I am pretty sure it behaves this way because the "Redirect IPv4 Gateway" option is checked, which forces all traffic thru the OpenVPN server. This is something we want to keep checked as the VPN is used by my parents to access their home network when they are away, and they want all of their traffic sent thru the home router.
So, without adding a network card to my server to physically put it on VLAN10; how can my laptop on VLAN10 access my server on VLAN14 while my laptop is connected as a VPN client?
i.e. How can I access the red line while still connected to the green line?
-
@hieroglyph Make a client override rule for your connection common name and don't push default gateway redirect.
Just add the remote networks you need on same page like this
push "route 192.168.18.0 255.255.255.0"; and it will be fine. -
Connections between VLANs is just regular routing. In this respect, there's no difference between a VLAN and a regular interface.
BTW, why is the laptop on a different VLAN from the server? Why are you using VLANs at all? It looks like you're making things more complicated than you have to.
-
Why are you running vpn client on your pc at all? Why would you not just run site to site vpn between your pfsenses?
-
What if the laptop is also used elsewhere?
-
Well then elsewhere you use the vpn client on the laptop.. You could even set it up so that you vpn once while your remote with this laptop and you have access to both networks.
-
@johnpoz Its obvious that the op hasn't dive deep (yet)
In any case a remote access setup is something that can be accomplished by following canned instructions. A site 2 site vpn with subnets AND remote access is kinda custom... -
There are canned instructions for a S2S as well. Either ipsec or openvpn.
For such a setup a s2s would be better than using client on the laptop.. Be it he just uses it at the one location or he travels with it.
-
@netblues This works. I should have thought to do this. Thank you.
OpenVPN Server Settings: Unchecked "Redirect IPv4 Gateway". And kept 192.168.18.0/24 in "IPv4 Local Network/s".
For my laptop: Created a client specific override for my common name. In the client specific override settings "IPv4 Local Network/s" added 192.168.18.0/24 and kept "Redirect Gateway" unchecked.
For my parents devices: Created a client specific override for each of their common names. And in the client specific override settings checked "Redirect Gateway".
@JKnott The laptop is my everyday device that is on my critical-VLAN along with my cellphone, and the girl friends everyday devices, etc... The server is a media server and is on the media-server-VLAN along with a few odroids and video wall controllers. I know I don't necessarily need VLANs for my home network, but I enjoy learning how to use them.
@johnpoz Lack of knowledge is part of the answer to your question. I am not always home when I need to remote into my parents network. I thought a road warrior VPN was the right tool for the job. It sounds like there other better options.
I did some reading on Site to Site VPNs. From what I understand this is like having an always open tunnel between the pfSenses. Which is cool, it would at least save the time of having to double click the shortcut and type in the root password every time I needed to do something on their network. It appears the two most mentioned are a S2S IPSEC and S2S OpenVPN Server-Client. I do not yet understand how I would utilize the site to site if I am not at home. Is one more preferred over the other for maintaining a remote server both from home and when travelling?
@netblues I do use this laptop everywhere I go. And may not be home when I need to access my parents network.
-
@hieroglyph With an established s2s vpn you could connect remotely to the server side of the vpn and access both sites with one connection, concurrently.
But this adds unecessary points of failure. And since these are home networks, you could be better off with two openvn servers listening at each site , and connect to each as needed.
A site to site vpn could also co exist, so you don't have to do anything when at home.of course you can have it all. S2s, two openvpn listening at both sites, and access to everywhere no matter where you connect.
Happy tweaking.
