Additional help in my openvpn setup



  • I successfully setup my first openvpn service on our existing pfsense gateway. I followed the openvpn howto's and manage to configure all the necessary directives on both server and test client.

    Here is our network layout:

    internet –------58.71.23.x (wanpfsenselan)192.168.1/0---------internal network 192.168.1.2-254
        openvpn client======58.71.23.x  (wanpfsenselan)  =======(openvpn address pool)192.168.10.0/24

    Since the openvpn documentation suggest that openvpn tunnel must be or best to have a separate address pool so i set 192.168.10.0/24

    Now my client was able to authenticate with my openvpn/pfsense server via ip public wan interface and obtain a random 192.168.10.x,
    My vpn client was able to ping/access all internal server/services on my LAN segment 192.168.1.0/24. I can even access my folder share in my 192.168.1.0/24 LAN segment and quite happy with its initial performance.

    Now I want to push my openvpn/pfsense implementation to next level. To redirect all ssh/web traffic to the vpn tunnel but i'm a bit confuse on what additional directives or firewall rules that must be set to accomplish this task.

    Here is my openvpn config:

    <openvpnserver>- <config><disable><protocol>UDP</protocol>
      <dynamic_ip>on</dynamic_ip>
      <local_port>1194</local_port>
      <addresspool>192.168.10.208/29</addresspool>
      <nopool><local_network>192.168.1.0/24</local_network>
      <remote_network><client2client>on</client2client>
      <crypto>BF-CBC</crypto>
      <auth_method>pki</auth_method>
      <shared_key><ca_cert>xxxx</ca_cert>
      <server_cert>yyy</server_cert>
      <server_key>zzz</server_key>
      <dh_params>blah</dh_params>
      <crl><dhcp_domainname><dhcp_dns>208.67.222.222;208.67.220.220</dhcp_dns>
      <dhcp_wins><dhcp_nbdd><dhcp_ntp><dhcp_nbttype>0</dhcp_nbttype>
      <dhcp_nbtscope><dhcp_nbtdisable>on</dhcp_nbtdisable>
      <use_lzo>on</use_lzo>
      <custom_options>push "redirect-gateway def1";</custom_options></dhcp_nbtscope></dhcp_ntp></dhcp_nbdd></dhcp_wins></dhcp_domainname></crl></shared_key></remote_network></nopool></disable></config></openvpnserver>

    • <openvpncsc>- <config><disable>on</disable>
        <commonname>igvpn-user1</commonname></config></openvpncsc>

    Since I set an additional directive of push "redirect-gateway def1", I seen that my vpnclient route has additional routing that suppose to redirect my traffic to the vpn tunnel.

    My question is since my openvpn address pool is 192.168.10.0/24 and and my LAN segment is 192.168.1.0/24. and my LAN Firewall rules is pass * * * * wan &  pass * 192.168.10/24 * wan. Do I have to have an alias ip on my LAN interface like 192.168.10.1? so that my my vpn subnet 192.168.10.0/24 can successfully traverse my wan interface.

    Again pardon me with my English and kind advise my for additional infos and config details that i must provide a better picture of my network .

    Thanks and good day.



  • The OpenVPN interface is not firewalled.
    The virtual OpenVPN interface is treated like a normal interface, just without the firewalling capabilities.

    To be able to NAT from the OpenVPN subnet to the internet:
    http://forum.pfsense.org/index.php/topic,7001.0.html



  • @GruensFroeschli:

    The OpenVPN interface is not firewalled.
    The virtual OpenVPN interface is treated like a normal interface, just without the firewalling capabilities.

    To be able to NAT from the OpenVPN subnet to the internet:
    http://forum.pfsense.org/index.php/topic,7001.0.html

    Thank for your reply but I still don't understand/analyze the configs/directives that i'm missing.

    Do I have mo add a LAN interface alias (192.168.10.1 ) for my openvpn segment or just having advance Nat  192.168.1.0/24 & 192.168.10.0/24 for my LAN & openvpn will suffice? or do I have to do both?

    I need to be precise in my configs because my box is running in the production and I dont want to encounter system downtime, that's why I'm analyzing my situation carefully.

    Again thank and good day.


Log in to reply