Using Virtual IPs with OpenVPN as WAN?
-
I'm just about to complete the final step of my pfsense home deployment, (replacing my Tomato-based OpenVPN routers).
The pfsense firewall has now been running for a couple of months with added functionality and flexibility, but is still missing that 'final piece of the jigsaw'.
On my two laptops (Mac OS) I have 'Locations' enabled in Network Preferences - this allows me to instantly switch my Network configuration between one of three Gateways, two of which run through an OpenVPN tunnel on either of the Tomato routers.
All other devices (except these laptops) are fine to run with a fixed gateway, either set with one of the VPNs, or without, depending on use.
For the laptop, I want to be able to switch back and forward.How can I do this with pfsense? - I think this should work with Aliases & Virtual IPs, but I can't quite complete the steps.
At the moment, I have 3 separate devices with unique IPs, all acting as a GW:
PFS: 192.168.31.1
GW2: 192.168.31.5 (device runs OpenVPN tunnel, and has PFS as its default GW)
GW3: 192.168.31.9 (device runs OpenVPN tunnel, and has PFS as its default GW)The laptop currently retains the same IP address, but changes its GW, and then all traffic flows via the OpenVPN tunnel.
I want to assign Virtual IP 192.168.31.2 to the PFS (OpenVPN client) Gateway to replace my current GW2, and similarly 192.168.31.3 to replace GW3.
I already have the OpenVPN client running on pfsense, and acting as a second gateway with policy-based routing.
What steps do I need to follow to have the option of switching GW from the client?
Do I assign the (new) virtual IP to WAN, OpenVPN or LAN? (answer - Assign to LAN, cannot be assigned to OpenVPN
What rules do I need to add to ensure that a client using GW .2 only routes via the OpenVPN instance?
What other step might I need to complete this?I know that (as a temporary measure), I could change the IP address of the laptop, but I'd rather not do this. One laptop normally stays at home (could be either) and I will access it remotely - so if the IP changes, this would add to the complexity.
Many thanks,
-
So you currently actually have three routers and you are looking to replace that with one router and VIPs?
-
That's correct, just working on a diagram to upload:
Primary router is pfsense:
Two routers acting as WAP only (WAN disabled), but each with an OpenVPN client that tunnels through pfsense to the outside VPN provider.
-
2 different ssid in 2 WAP and rule directing each IP of your WAP to different gateways?
EDIT: config the 2 VPN in pfSense and use those as the gateways.
-
Multiple clients connect via WiFi to either of the two WAP - IP & gateway are assigned by pfsense (via static DHCP reservations).
Some clients are assigned the VPN gw, the default is no VPN.
This configuration is 100% working, and meets my needs (but is overcomplicated).
 -
Thanks Hugovsky,
That's what I'm trying to achieve, but it's not a static case.
Most of the clients (Amazon Echo, AppleTV etc) are fine with a fixed gateway.
The two laptops I use, I need to be able to switch between VPN 1, VPN 2 & none.
So on top of transferring the VPN/routing to the pfsense device (which is complete & tested), I need an option that recognises that IP 192.168.31.100 doesn't automatically get assigned the OpenVPN gateway, but specifies whether to use WAN, OpenVPN client 1 or 2.
I think this may be possible by using Virtual IPs & Aliases, e.g.:
The client requests gateway 192.168.31.2 - which is an alias for OpenVPN client 1
-
Hmm. I don't know of a way to identify what GW address traffic arrived on. I don't know if that is going to be possible. That address is not involved in routing decisions at all as it is neither the source address nor the destination address. All the router interface will see is:
Source IP address / Source MAC address (Client MAC)
Destination IP address / Destination MAC address (Router interface MAC)They will be identical regardless of what gateway address the traffic is forwarded to.
Seems like a Mac network location could just as easily set a separate static client IP address and leave the gateway the same. That would be easy to policy route.
-
You can try using the "locations" in MAC OS if that allows you to use different configs with different IPs. Say you have a "location" called VPN1: mac IP 192.168.1.2 -> in pfSense you have a rule that says "with this IP, use gateway VPN1".
"location" called VPN2: mac IP 192.168.1.2 -> in pfSense you have a rule that says "with this IP, use gateway VPN2".
I think you get the point.
-
Thanks Derelict,
That's as far as I got as well. I'll have to consider how much trouble that will cause by changing IP address.
-
Exactly.
-
The Mac's networking stack is pretty flexible. There might be a way to have a fourth address that never changes that is not used as a source address for outgoing connections but can always be available to accept incoming connections. Not sure how, just throwing it out there. I don't see a way to add an "IP Alias" to an interface but I created another interface on the same vlan and gave it a separate address and ended up with this:
vlan2: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
options=3 <rxcsum,txcsum>ether 3c:07:54:0c:23:16
inet6 fe80::403:dcd:81c:6e04%vlan2 prefixlen 64 secured scopeid 0xc
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=201 <performnud,dad>vlan: 1200 parent interface: en0
media: autoselect (1000baseT <full-duplex>)
status: active</full-duplex></performnud,dad></rxcsum,txcsum></up,broadcast,running,simplex,multicast> -
Thanks again Derelict,
This is mostly way above my level, but it has given me different options to consider.
I have assigned a couple of Virtual IP addresses to pfsense, and would have thought that there might be a way to use these or assign them to an interface, unfortunately just not the OpenVPN interfaces!
-
Thanks again Derelict,
While a Virtual IP on the Mac does not entirely fix what (I think) I'm looking for, it's close enough.
I used this link:
http://stackoverflow.com/questions/87442/virtual-network-interface-in-mac-os-xand added another IP address to the Mac, which is confirmed reachable by ping:
sudo ifconfig en0 alias 192.168.31.19to remove the alias:
sudo ifconfig en0 -alias 192.168.31.19Once I have changed everything around, the Mac will be reachable by a fixed IP alias, and the 'real' IP will change according to the 'Location' set, so as to select the appropriate VPN tunnel on demand.
The 'missing' functionality (that I'm aware of) is being able to identify 'all' traffic to/from this device in a single line entry. But having traffic grouped by route used could be seen as an advantage!
-
You route traffic (connections, actually) from the device using a rule on "LAN" for all traffic from that source address.
There is really no way to identify traffic to that device. It will arrive on the WAN (including OpenVPN) interface it arrives on.
Reply traffic to connections made from that device will work fine.
-
Thanks again, I understood that…
... I was referring to the various connections that have already been created (e.g. VNC on the iPad) referring to the original IP. With an alias replacing the current IP (.100), everything inbound (either LAN or Remote Access OpenVPN Server) will still find the target.
Outbound, the new 'real' IPs, .101, .102 etc will determine which OpenVPN Client connection to use, based on Firewall rules.
-
…Now to come up with a revised numbering scheme for 100+ domestic devices!
