How to route PC to OVPN-Client to WAN

Pippin

PC LAN side - 192.168.30.9
StS OVPN - 192.168.158/24
OVPN Client - 192.168.158.3

I need a route on pfS from PC to OVPN Client

How can do that?

Thanks.

Pippin

I can`t seem to figure this out.

I would like to be able to change GW on demand on that PC.
Until now I was not successful to set a route to 192.168.158.3 which is the only thing that seems missing to make it work.

Any pointer how to do that?

Pippin

Just tried assigning a GW to 192.168.158.3 on pfSense.
After changing the GW on PC, connection is lost.
So, am I ;)

Anyone any idea`s?

Derelict

Put the local networks on the server side in local networks, put the remote networks on the other end of the site to site in remote networks on the server, put openvpn pass any any any rules on both sides and you're done.

You're missing a piece. In a Site-to-Site OpenVPN there are Local and Remote "LAN" networks you are trying to connect. The tunnel network joins them.

If all you have is the VPN tunnel address it sounds like you might want a Remote Access network instead.

Post what you've done.

Pippin

The previous advice was, "You need a Site to Site" but was not in this topic ;)

I`ve got Site to Site working, LAN can talk to LAN, working just fine.
Have that working with RA too b.t.w., with CSO.

Now Id like to use a VPN client as an exit-point to www, traffic originating from PC on server side LAN. And thats what I can`t seem to figure out. It does seem to miss a route to 192.168.158.3/VPN client.

Elsewhere it was suggested to try and give this PC two IPs on pfSense and then policy route one IP to VPN client/exit-point. Then when VPN is needed on PC, change its IP with script, the IP that is policy routed.
But elsewhere had no experience with pfSense.

I`ve done similar before with the difference that PC was behind a VPN client instead of behind server.
ipforward=1, masquerade the thing, change GW on Windows 7 with script and of it goes.
On server side this seems not to work.

And yes, for testing I have all allow any to any on IF`s

Thanks.

johnpoz

I have read this multiple times and can not figure out what your trying to do.. So you have a site to site, and then your running a vpn client on a pc - going where?

Can you draw up your network and what your trying to accomplish.

Pippin

Man, I just wrote and attachment was not accepted, wrong extension, jpeg not accepted, my message gone.

Ok, please see attachment.
pfS has allow any to any on VLAN30 and VPN.
IF is assigned to VPN.

After adding ipforward=1 and iptables masquerade to NAS, the LAN behind it became available to LAN/VLAN behind pfS.
The other way around is also the case.
Not redirecting GW on NAS.
NAS has connectivity to www by Modem2 GW.
So far works as intended.

What I`m trying to do is make NAS the exit-point to www with a script on PC.

johnpoz

Dude I still can not figure out what you want…

So your saying your pfsense has a site to site to your NAS?

Why do you think you would/could setup some gw on your PC to tunnel out your site to site or not tunnel out??  Your PC gateway is 192.168.30.1 -- you can not set a gateway for port 80 on the pc to do anything but go to its gateway on the network its on.

If you want your PC to use your vpn on pfsense to go somewhere based on port then setup policy routing to do that on pfsense.

That doesn't look like site to site anyway - look like your nas is a vpn client to pfsense running server...

Pippin

Dude I still can not figure out what you want…

Yes, it must be my bad explanation, fellow dude :)

If you want your PC to use your vpn on pfsense to go somewhere based on port then setup policy routing to do that on pfsense.
That doesn't look like site to site anyway - look like your nas is a vpn client to pfsense running server…

In another thread it was suggested to use a Site to Site for NAS to separate road warrior.
Doesn`t policy routing make PC to go always over VPN?
If possible I would like to have a "switch" on PC to go or not go over VPN.

johnpoz

No policy routing allows you to route the traffic how ever you want.. So I can send source IP 192.168.1.100 down vpn if going to port XYZ, or only to IP X, or if going to IPX:ABC etc. etc..

Your not showing it as a site to site.. It looks like a nas is client to pfsense road warrior.

There is NOTHING you could do on your pc that says when using port X go down the tunnel.  Sure you could bring up a tunnel on pfsense, and have another IP on pfsense and have traffice that goes to its lan IP 2 go down the tunnel and traffic that hits is IP 1 not go down the tunnel.  Then you could route on your PC.

But why not just policy route your traffic down your tunnel based on your rule you create on pfsense?

Pippin

Your not showing it as a site to site..

First the NAS connected to RA server but as I mentioned it was advised to add a StS because also have road warriors connecting to RA.
So I added a StS and just modified/copied the client config to NAS and it connected.

Sure you could bring up a tunnel on pfsense, and have another IP on pfsense and have traffice that goes to its lan IP 2 go down the tunnel and traffic that hits is IP 1 not go down the tunnel. Then you could route on your PC.

Thanks for that, that sounds like what I need.

Then it would also be possible to add another VLAN that uses OpenVPN as GW and then exit at NAS to www?
Then on PC switch between those VLAN`s.
Hmm… that way more machines could use it and maybe is easier to manage?
Would it then be better to add an RA server instead of StS?