Limit access between remote locations and local clients?
-
@DutchSamurai So its 100 locations with pfsense boxes at the edge and users behind each pfsense?
Or is it users with openvpn client connecting directly?
You do say that connectivity is needed behind the remote networks, and that their ip's overlap.
If it was just outbound you could nat, but as you set the goal, most probably you need to renumber.
-
@netblues Its a single pfsense box acting as the hub and the remote locations and remote users are just openvpn clients connecting to the pfsense box.
Changing the remote location lan network is not possible.
The users will have to be clients but it might be possible to put a pfsense/openvpn box at the remote location if that would make things easier.
Edit: Just to be clear, the remote locations don't have any users that need to connect. The remote locations only have some devices that need to be accessible by the remote users.
The remote locations don't allow incoming connections hence the need to have the remote location initiate the VPN connection.
-
so and again why the hustle ...
if u use openVPN and your clients fire up a tunnel to the pfsAWS
its as easyuse
assign a ip to each client with CSO and set a firewall rule.
and it works.
runs fine and smooth even in crazy combinations win/mac/lin/ LDAP&AD envs
-
@DutchSamurai said in Limit access between remote locations and local clients?:
this link
outdated in 2014 !
justsaying -
@DutchSamurai said in Limit access between remote locations and local clients?:
Edit: Just to be clear, the remote locations don't have any users that need to connect. The remote locations only have some devices that need to be accessible by the remote users.
The remote locations don't allow incoming connections hence the need to have the remote location initiate the VPN connection.can u describe a use case for me
sounds like u r running a server farm somewhere seperated by ips and now you want to
enable your users to connect via openVPNARE u shure that your IP ranges are set and not changeable
whats your tunnel network, whats your DNS ?
how do u seperate the users in the tunnel network (prevent them from talkin to each other)oh this is fun ....
-
@noplan The CSO works for assigning a static IP and setting up the VPN tunnel, but it doesn't give the users access to the remote location LAN.
Use case:
All these remote locations are kind of like a small office in remote areas that aren't easily accessible. Various different parties are involved with the network at those locations hence changing the IP's of the local networks is not possible.
Each location has various devices that collect data locally but don't send any of that data. The question I often get is "why can't we connect to those devices from our office?".
Basically people want to set up a connection that a certain remote location, SSH or HTTP to the IP of their device on the remote LAN and download some data.
The remote locations don't belong to a single owner hence there is also the need to keep everything separated.
-
@DutchSamurai If they are devices and not full blown workstastasions, then are they able to run local openvpn clients? This eradicates the need for any renumbering.
If you need to know your devices by ip, then you need to assign them static private ip's.
With careful grouping, firewall rules will do the rest. -
@netblues Sorry, I wasn't clear on that part. We have a Linux box at each remote location that will initiate the VPN connection. If necessary I can also run pfsense (or anything else) on those boxes. The devices themselves cannot run openvpn.
-
thats the classic roas warrior approach you are on.
and yes carefull gouping and rule set
is this a sort of TV setup sounds like
-
@DutchSamurai If you can't renumber, then you will need a proxy, or as it called, a jump host to access the devices.
So the linux box openvpn's to central and establishes ip connectivity.Users ssh to the linux box and then ssh to the iot device.
You could run a 1to 1 nat at the linux box and assign natted ip's for your devices.
However managing this won't be easy -
this has nothing to do with the topic.
this whole setup is of course interesting but hmmm a little fishyopen a topic " howto jump host with pfS"
-
@noplan ??
Since remote devices can't run any kind of vpn then it can't be a pure vpn solution. -
I can already ssh into the remote location on the VPN IP. But I really don't want to go that route as it will be unmanageable to give 3rd parties access and a lot of stuff they need to access at the remote location is browser based. The only viable solution is if users can setup a connection directly to their device. The openvpn client at the remote location should, one way or another, provide access/forward traffic to the remote location's LAN.
From a practical pov, can this be done using pfsense and if so how should I got about it? I can set up the VPN, I can do the firewall rules and CSO to give specific IP's, but the point I can't figure out is A) how to give access to the remote location's LAN and B) do so when remote locations will mostly be using the same LAN subnet.
-
@DutchSamurai There aren't any other options left than to do one to one nat at the remote location edge linux box.
You can assign a unique ip range at each location, and then configure a one to one nat to the local iot devices.
This will solve the conflicting ip range issue and give you direct http etc access to the non vpn enabled devices.
Linux will do that with iptables.
If there aren't many changes, it will do. -
@netblues Unfortunately I don't think that is going to work. I'll have to keep track of the settings and no doubt people will not remember their device IP isn't 192.168.0.100 but 10.10.10.100 or whatever.
Maybe setting up multiple openvpn servers is the only solution if I want the remote lan accessible as is? I could put a proxy with subdomains in front of pfsense so everybody can still connect to a single port. As far as I understand pfsense supports unlimited openvpn servers? I'm sure the GUI will suffer with a couple of hundred servers but hopefully performance will be ok'ish as all remote locations are low very low bandwidth and just idling most of the time anyway.
-
@DutchSamurai Maybe its time to introduce dns resolution for your devices.
No more ip's to remember.
Several hundred openvpn servers is also a nightmare to administer.
And one needs to connect to the correct vpn server to access.
The connect tab of openvpn client will be unmanageable.If you make a good plan, then anyone could find the nated device ip without looking it up if he knows the real device ip and the location subnet.
Its either renumber or nat, at the scale we are talking about.
-
i m out ....
now i can remember when i last got a call for such a setup ....
pay tv boxes callin over vpn tunnel content not avail in that region or
bypassin some other restrictionsorry for me the scale a 100+ vpnTunnels and seperated networks over a AWS hosted pfS
hmmm .... no me i am outnot something i want to get mixed up with
brNP -
@noplan I'm sorry you think that. This is a perfectly legit business use case. I'm simply asking if this can be done using pfsense as my experience with VPN's is limited and at this scale I am out of my depth.
@netblues I've actually seen a working solution with openvpn doing exactly what I want. Remote locations connect to a central server and remote users connect to the same central server and from there its tunneled to the remote location without the need for changing ip's etc. For ssh this requires a double tunnel but for browser based access you could setup a socks5 in the browser settings (localhost & some port) enabling access to the remote lan.
I've also seen another openvpn based solution that seems to subnet the openvpn tunnel for each remote location and allows access to each remote lan that way. No need for setting up socks or anything.
I don't know how they've actually set any of that up but it works. I think I should tell management I simply cannot do this by myself.
-
@DutchSamurai What you ask is straight forward.
pfsense with openvpn can do that.
In your particular case, there are remote lans with conflicting ip ranges and there isn't much one can do about it.
Its either nat, or renumber. Both will work fine.
It can be done either by installing pfsense at the remote locations, or just keeping the current linux gateways
Managing thousands of devices effectively does require some solid planning.