Create a multi-machines PFSense administration network



  • Hello everyone !
    It's been around a month since I've been looking to create a private network from which I can remotely connect to my other deployed Pfsense machines. We have a naming scheme and IP adress plan, but the implementation is still very tricky.
    A few things are for sure :

    • I have a central point of connexion with a know public dns(already deployed pfsense)

    • Many small pfsense boxes that provide what they need for our service but needs to connect to the central point to get an IP and communication going

    And here I what I tried :
    OpenVPN Peer to Peer… Unfortunately, this solution cannot establish a tunnel with more than 1 client... and I sometime need 3 or 4 on a same tunnel... like central point on .1 and clients on .2 , .3 and .4 on a /28 for example
    OpenVPN with certificates : I need not to use a PKI, it's a nightmare and I don't have the resources to deal with one properly (I mean with proper security and certificate management)
    IPsec : I have not seen anywhere how to create a tunnel between the connection machines... Sure I can connect two physical ones, but how do I create one that only exists when the tunnel is up is over me.
    L2TP : because we are using a provider's OpenStack public cloud service, we don't have the control over layers one and 2, so I can't use it.

    Last time, I posted in the OpenVPN section but I realized it might not be the solution. Can someone help me?
    Just in case, here is the link to my original post : https://forum.pfsense.org/index.php?topic=113779

    Thank you for reading.



  • Right now I use OpenVPN from 3 pfSense to 1 and it works beautiful. I use certificates to authenticate.
    This works great for me since one of those pfSense is at my home so I connect to any other pfsense as if it were on my local network.
    I have a lot of pfsense deployed on my customers that I manage and access almost all days and its great to be able to access them this way.
    What I would like is to have a central Web GUI that I can host on one server and then from there look at the health status of all systems and get logs. That would be like pfCenter or something like that and would be awesome. If someone knows something like that let me know.



  • Both OpenVPN and IPsec will work for what you try to achieve but each design has its own specificities.

    What I understand from your goal is that you try to connect multiple sites in a "hub & spoke" design.

    In any case, what is critical is your IP addressing plan.

    • although is has no impact on the feasibility (unless you have overlap) there is no need to set-up wide OpenVPN tunnel (I mean with plenty of potential client, i.e. /20 or so).
    • what you have to keep in mind is that using tunnel (either OpenVPN or IPSec) it brings you to internal network  ;)
    • when trying to bounce from one tunnel to another, you may have to configure your central OpenVPN server to authorize communication between VPN clients

    So you have 2 basic choices:

    • configure site-to-site OpenVPN, all remote sites connecting to central site. Ensure you do publish routes  ;)
    • configure IPsec between each remote site and central site.

    Again, both work once configuration is correct.



  • @gabrielpc1190:

    Right now I use OpenVPN from 3 pfSense to 1 and it works beautiful. I use certificates to authenticate.

    This works great for me since one of those pfSense is at my home so I connect to any other pfsense as if it were on my local network.

    I have a lot of pfsense deployed on my customers that I manage and access almost all days and its great to be able to access them this way.

    What I would like is to have a central Web GUI that I can host on one server and then from there look at the health status of all systems and get logs.

    That would be like pfCenter or something like that and would be awesome. If someone knows something like that let me know.

    Hello,

    Well, to be fair, I broke down on the PKI and created a CA and as many certificates I needed, it now works flawlessly as I wanted. Now I'm looking for a way to automate the certificate creation and transfer, something like an API.

    For the monitoring solution, use a raspberry pi with something like centreon / nagion /zabbix on it and you should be able to do this…

    @chris4916:

    So you have 2 basic choices:

    • configure site-to-site OpenVPN, all remote sites connecting to central site. Ensure you do publish routes  ;)
    • configure IPsec between each remote site and central site.

    Again, both work once configuration is correct.

    Well, for now I use OpenVPN, but the case of IPSec,  I have not seen anywhere the option to assign IPs in the IPsec tunnel / V2 for each endpoints to allow for these endpoints to be adressed through the VPN…

    For the routes publication, there is no need for it, I'm just looking to address the Pfsense machines without having to access the LAN IP (keeping things isolated from each other for security and best practice) but on the central server I allowed the OpenVPN traffic to the admin subnet so I can bounce between them.

    Now That I POC'ed that stuff, I'm off to automate that stuff...



  • @P_Gineste:

    Well, for now I use OpenVPN, but the case of IPSec,  I have not seen anywhere the option to assign IPs in the IPsec tunnel / V2 for each endpoints to allow for these endpoints to be adressed through the VPN…

    For the routes publication, there is no need for it, I'm just looking to address the Pfsense machines without having to access the LAN IP (keeping things isolated from each other for security and best practice) but on the central server I allowed the OpenVPN traffic to the admin subnet so I can bounce between them.

    That's exactly what you misunderstand with IPSec.
    IPSec purpose is to allow LAN-to-LAN connectivity.
    BTW, idea is pretty much the same with OpenVPN. Idea is to provide access to LAN, not WAN interface.

    It looks like you try to access remote pfSense servers on WAN interface for administrative purpose, which is, as a concept, and at least to me, wrong.
    If you change your paradigm and access to LAN, which obviously doesn't prevent to control, using FW rules, what is accessible and not, from source and destination, you will not face problem you describe  ;) (unless I misunderstand what you explain)



  • @chris4916:

    @P_Gineste:

    Well, for now I use OpenVPN, but the case of IPSec,  I have not seen anywhere the option to assign IPs in the IPsec tunnel / V2 for each endpoints to allow for these endpoints to be adressed through the VPN…

    For the routes publication, there is no need for it, I'm just looking to address the Pfsense machines without having to access the LAN IP (keeping things isolated from each other for security and best practice) but on the central server I allowed the OpenVPN traffic to the admin subnet so I can bounce between them.

    That's exactly what you misunderstand with IPSec.
    IPSec purpose is to allow LAN-to-LAN connectivity.
    BTW, idea is pretty much the same with OpenVPN. Idea is to provide access to LAN, not WAN interface.

    It looks like you try to access remote pfSense servers on WAN interface for administrative purpose, which is, as a concept, and at least to me, wrong.
    If you change your paradigm and access to LAN, which obviously doesn't prevent to control, using FW rules, what is accessible and not, from source and destination, you will not face problem you describe  ;) (unless I misunderstand what you explain)

    The thing is I don't want to either access PFsense from the LAN nor WAN (well, LAN for failover, but the LAN should be isolated from the VPN), but from a dedicated virtual interface that is accessible from my administration network… there is no paradigm shift to have here, just to choose the right solution. IPSec is then from what you're telling me not one of them for me.

    Is there a way to not remove the CSRF check but select from which interface the PFsense admin panel is accessible?



  • csrf error does not occur on interfaces. So if you assign an interface to your vpn, then it all works



  • @heper:

    csrf error does not occur on interfaces. So if you assign an interface to your vpn, then it all works

    indeed.

    And IPSec will do it too: once sites are connected through IPSec tunnel, this is as simple as defining FW rules  8)


Log in to reply