openvpn and surfing

nick.loenders · Aug 6, 2021, 7:03 AM

Hi,

I have setup a openvpn on a netgate device on location A with and when I connect to it from location B it connects and I get the public ip of location A, which is good.
But it also means I will surf/browse via location A.

But is there a way I get the public ip from location A, but can still surf via location B ?

viragomann · Aug 6, 2021, 9:42 AM

@nick-loenders
How do you think, should that work?

If your HTTP requests access the destionation server in the Internet with the IP from A, the server will send its responses back to A. Consequently the whole traffic (up and down) has to flow over A.

If you don't want to surf via A uncheck "Redirect gateway" in the OpenVPN settings, but then you will access the internet with the public IP of B.
There are no other options.

nick.loenders · Aug 6, 2021, 9:47 AM

@viragomann Hi, the thing is we manage a lot of servers on different locations and we will allow RDP only from the ip from location A,
so basically we use this vpn only to show the rdpservers we are coming from location A....

But off course if you forget to turn off the vpn and would watch a film for instance, we would be surfing through location A, which is not a good plan as we pay for the bandwidth at location A

But I guess there is nothing to do about it then, as I already suspected :(

viragomann · Aug 6, 2021, 10:04 AM

@nick-loenders
So only for RDP you can policy route the traffic over the VPN and remove the "redirect gateway" check.

For a policy routing rule, on B add all your RDP destination IPs you want to access from A to an alias.
Then add a firewall rule on the interface where your RDP clients are connected to, at destination enter the alias and RDP at port (or whatever port you need, possibly also an alias), open the advanced options and at gateway select your VPN gateway.
This requires that you have assigned an interface to the OpenVPN instance before.

nick.loenders · Aug 6, 2021, 11:45 AM

@viragomann wow, this sounds all a bit chinese for me.

Are we on the same wave?

At location A:
On the firewall I allow RDP only from public ip 70.15.15.36

At location B:
On the firewall I allow RDP only from public ip 70.15.15.36

At location C:
On the firewall I allow RDP only from public ip 70.15.15.36

I have then a FW on location X on which vpn is setup and this location has public ip 70.15.15.36

I can then be wherever I want with my laptop and make a openvpn connection to the FW of location X and at this moment my public ip becomes 70.15.15.36 as redirect gateway is enabled.
And as my public ip bacame 70.15.15.36 I can RDP to server on location A, B, C, ...

But off course with that setup ALL traffic goes via location X.

You would do it differently?
Can you explain with some screenshots if possible?

viragomann · Aug 6, 2021, 12:32 PM

@nick-loenders
I see, from your firest post, I was thinking about a site2site VPN between A and B.

From you Laptop you will make a client connection to an access server on location X.
So in the access server settings to route client traffic over the VPN, enter all networks you want to access to the "Local Networks". This pushes a route to the client when the VPN is established.

So in your example, you want to access 60.10.10.10. I assume you also want to access the local network on X, which I say is 192.168.20.0/24, so the "IPv4 Local Network/s" box in the server settings should look like this:

192.168.20.0/24,60.10.10.10/32

All entries have to be in CIDR notation and comma separated.

"Redirect gateway" has to be unchecked here as well.

This directs the whole traffic to 60.10.10.10 over the VPN, not only RDP, but all other destinations which are not included in "local networks" will go out the default WAN on the laptop.

nick.loenders · Aug 6, 2021, 12:28 PM

@viragomann No I want to access the servers on location A B C, ....
There are no site2site tunnels in this story.

I make a vpn to the netgate on location X.

That is it.

Then on my laptop I do an rdp to location A (public ip 60.10.10.10)
As on location A rdp is only allowed from public ip X 70.15.15.36, this will work.
if my redirected gateay is on (at this moment)

viragomann · Aug 6, 2021, 12:36 PM

@nick-loenders
Ok I messed the destination IP. Corrected it now above.

"Redirect gateway" directs simply the whole upstream traffic from the client over the VPN connection, while in "local networks" you can state specific destinations to direct to the VPN server. It's also called splitt-tunneling.

nick.loenders · Aug 6, 2021, 1:08 PM

@viragomann so if I do this:

login-to-view

it should work too?

OK, I'll test

viragomann · Aug 6, 2021, 1:08 PM

@nick-loenders
Yes, this simply adds the proper route on the client to go over the VPN gateway.