OpenVPN - client machine to server-lockdown
-
I find that the inbuilt Windows VPN is a bit to difficult to handle for end-users, I would like to distribute one installer package and using OpenVPN and OpenVPN client looks like a candidate for this.
I have public static IP on both sides (transparent, bridged) and don't do any NAT/subnetting (Server has static public IP). Each client only connect to one server.
I have mainly two problems:
1. I don't want the client to loose their Internet when they are connected over VPN and I don't want browser-traffic though my servers. The main use for VPN is remote desktop, custom apps they use and sql-servers - so only a few ports.
2. I only want the client to access his server - he should not see any other servers on the network.
The end-users have admin-prov on their client machines, so pushing routes shouldn't cause a problem (as long as it is automated).
How would I set up this, is it complicated or easy in my case?
-
I find that the inbuilt Windows VPN is a bit to difficult to handle for end-users, I would like to distribute one installer package and using OpenVPN and OpenVPN client looks like a candidate for this.
I have public static IP on both sides (transparent, bridged) and don't do any NAT/subnetting (Server has static public IP). Each client only connect to one server.
I have mainly two problems:
1. I don't want the client to loose their Internet when they are connected over VPN and I don't want browser-traffic though my servers. The main use for VPN is remote desktop, custom apps they use and sql-servers - so only a few ports.
You can push as many or as few routes to OpenVPN clients as you choose. But you push routes, not ports. Generally pushing routes to a client for only internal hosts/networks is sufficient. There is no concept of ports at this point. See below.
2. I only want the client to access his server - he should not see any other servers on the network.
All connections into the firewall from OpenVPN clients are governed by firewall rules on the OpenVPN group or interface tabs. You can allow as much or as little as you want.
Your task is to assign the same OpenVPN IP address to a client each time it logs in so the firewall rules can be tailored to that client and they cannot circumvent them. This can be handled using client-specific overrides to assign the tunnel IP address and firewall rules on the OpenVPN instance.
How would I set up this, is it complicated or easy in my case?
That depends on your skill level. If you are looking for someone to configure this for you free, you are probably going to be out of luck. There is work involved. How much work depends on how many clients and how complicated the rules are.
-
I was considering if this was like "click-click" and done or if it needs a bit more than that. Then I probably go for the commercial support option :)
It is like 4-5 clients to the same server, so it's not a really big thing, but I assume most of the setup-process would be the same anyhow.
-
Dunno how this "client-specific override" thing is done to hand out specific IPs to each client, the rest is absolutely no rocket science and will teach you much for the future. I would start on my own and look for help if needed… ;-)
Client-specific overrides:
https://doc.pfsense.org/index.php/OpenVPN_multi_purpose_single_server#OpenVPN_Client_specific_overrides
...should work! ;-)
-
Just to test, I manged to get VPN server up and running and I have configured OpenVPN client.
This is a little beside my original question, I just want to see if I can connect to an entire local subnet for fun. I have a local network that is in this range: 192.168.100.100-140 (web-cameras and differen stuff like that).
When I connect with OpenVPN, my PC gets this IP-assigned:
My Windows-PC gets this additional details (from ipconfig):
IPv4 Address. . . . . . . . . . . : 192.168.100.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :Shouldn't this be enough to be able to access gear by going to 192.168.100.100 for instance? Or is this where I need to "push some routes" somehow?
The default gw isn't assigned and I guess that is correct. The 192.168.100.0/24 should also cover ips from .1 to .254. -
Dunno how this "client-specific override" thing is done to hand out specific IPs to each client
You use ifconfig-push to the client using the CSO. The exact syntax depends on the tunnel network and topology subnet or net30. An advanced search on this subforum for ifconfig ought to bear some fruit.
@fireix:My Windows-PC gets this additional details (from ipconfig):
IPv4 Address. . . . . . . . . . . : 192.168.100.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :Shouldn't this be enough to be able to access gear by going to 192.168.100.100 for instance? Or is this where I need to "push some routes" somehow?
Networks defined in the "Local Networks" section of the server are automatically pushed to all clients. What this means is the local client routes traffic for those networks through the OpenVPN connection instead of out to the internet. Whether or not the client has a DEFAULT route through the VPN tunnel is most-easily controlled by the Redirect Gateway checkbox in the server. If you want different clients to have different behavior for this you will likely want to uncheck this for the global setting and push the gateway commands to specific clients using CSOs for those who should have it.
The default gw isn't assigned and I guess that is correct. The 192.168.100.0/24 should also cover ips from .1 to .254.
No, your tunnel network should be a different, routed network for a tun mode OpenVPN remote access server. It is possible to create a tap mode "bridged" same-subnet network but it is not a recommended configuration.
Try:
-
Changing your tunnel network to 192.168.101.0/24 and your local network in the OpenVPN server to 192.168.100.0/24
-
Making sure your OpenVPN tab has a rule that passes traffic from 192.168.101.0/24 to 192.168.100.0/24 (or any to any or whatever).
-
If it still doesn't work make sure the local server you are trying to ping allows traffic from foreign networks. People are constantly mistaking windows firewall doing what it's been told to do for VPN (and port forward) problems.
OpenVPN is not like IPsec with traffic selectors "hidden" in the kernel somewhere. Everything is visible in a routing table. route statements add routes to the operating sending traffic into the OpenVPN process (visible in the OS routing table). iroutes inside OpenVPN determine which tunnel gets what traffic after the OS has routed traffic into OpenVPN (visible in OpenVPN's routing table). You can generally think of an OpenVPN instance as a virtual router.
Lots of info here: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
Interesting. Didn't know about the ifconfig-pool directive. That solves a significant problem.
-
-
From the log, it looks like traffic is passing on (I have allow any-any), but it isn't pingable or browseable (just waiting). This is just a web-interface for a switch, but same goes for a camera and a management-computer.
Accept May 22 19:14:52 ovpns1 192.168.101.2:54009 192.168.100.111:80 TCP:S
Sun May 22 19:08:39 2016 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Sun May 22 19:08:40 2016 [AAA] Peer Connection Initiated with [AF_INET]XXXX:1194
Sun May 22 19:08:42 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun May 22 19:08:42 2016 open_tun, tt->ipv6=0
Sun May 22 19:08:42 2016 TAP-WIN32 device [Ethernet 2] opened: \.\Global{55937E67-29D2-4CFD-9724-3B2ADCE61312}.tap
Sun May 22 19:08:42 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.101.0/192.168.101.2/255.255.255.0 [SUCCEEDED]
Sun May 22 19:08:42 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.101.2/255.255.255.0 on interface {55937E67-29D2-4CFD-9724-3B2ADCE61312} [DHCP-serv: 192.168.101.254, lease-time: 31536000]
Sun May 22 19:08:42 2016 Successful ARP Flush on interface [8] {55937E67-29D2-4CFD-9724-3B2ADCE61312}
Sun May 22 19:08:47 2016 Initialization Sequence Completed -
Are the default gateways in these devices set to pfSense?
Rules on the OpenVPN Tab/Assigned interface tab govern connections FROM the remote devices INTO your pfSense node.
Connections from LAN to VPN devices are governed on the LAN tab.
This is probably routing, not OpenVPN.
-
"Are the default gateways in these devices set to pfSense?"
No, they have a internal dhcp server as their gateway.
-
Well then that's where they are going to send the traffic for networks on other that their subnet (like 192.168.101.0/24).
-
Is there a way to connect to the network (192.168.100.0/24) only for the connection or something without having to set another gw on each device?
-
You can outbound NAT out the pfSense LAN interface so all connections appear to come from 192.168.100.1.
You would lose the ability to determine which VPN client was accessing the 192.168.100.X device though as all connections would appear to come from from the same IP address.
-
I assume NAT is not possible, because I run in transparent mode/bridged?
