Additional help in my openvpn setup

jtpagaran · Oct 15, 2008, 7:20 AM

I successfully setup my first openvpn service on our existing pfsense gateway. I followed the openvpn howto's and manage to configure all the necessary directives on both server and test client.

Here is our network layout:

internet –------58.71.23.x (wanpfsenselan)192.168.1/0---------internal network 192.168.1.2-254
openvpn client======58.71.23.x (wanpfsenselan) =======(openvpn address pool)192.168.10.0/24

Since the openvpn documentation suggest that openvpn tunnel must be or best to have a separate address pool so i set 192.168.10.0/24

Now my client was able to authenticate with my openvpn/pfsense server via ip public wan interface and obtain a random 192.168.10.x,
My vpn client was able to ping/access all internal server/services on my LAN segment 192.168.1.0/24. I can even access my folder share in my 192.168.1.0/24 LAN segment and quite happy with its initial performance.

Now I want to push my openvpn/pfsense implementation to next level. To redirect all ssh/web traffic to the vpn tunnel but i'm a bit confuse on what additional directives or firewall rules that must be set to accomplish this task.

Here is my openvpn config:

<openvpnserver>- <config><disable><protocol>UDP</protocol>
<dynamic_ip>on</dynamic_ip>
<local_port>1194</local_port>
<addresspool>192.168.10.208/29</addresspool>
<nopool><local_network>192.168.1.0/24</local_network>
<remote_network><client2client>on</client2client>
<crypto>BF-CBC</crypto>
<auth_method>pki</auth_method>
<shared_key><ca_cert>xxxx</ca_cert>
<server_cert>yyy</server_cert>
<server_key>zzz</server_key>
<dh_params>blah</dh_params>
<crl><dhcp_domainname><dhcp_dns>208.67.222.222;208.67.220.220</dhcp_dns>
<dhcp_wins><dhcp_nbdd><dhcp_ntp><dhcp_nbttype>0</dhcp_nbttype>
<dhcp_nbtscope><dhcp_nbtdisable>on</dhcp_nbtdisable>
<use_lzo>on</use_lzo>
<custom_options>push "redirect-gateway def1";</custom_options></dhcp_nbtscope></dhcp_ntp></dhcp_nbdd></dhcp_wins></dhcp_domainname></crl></shared_key></remote_network></nopool></disable></config></openvpnserver>

<openvpncsc>- <config><disable>on</disable>
<commonname>igvpn-user1</commonname></config></openvpncsc>

Since I set an additional directive of push "redirect-gateway def1", I seen that my vpnclient route has additional routing that suppose to redirect my traffic to the vpn tunnel.

My question is since my openvpn address pool is 192.168.10.0/24 and and my LAN segment is 192.168.1.0/24. and my LAN Firewall rules is pass * * * * wan & pass * 192.168.10/24 * wan. Do I have to have an alias ip on my LAN interface like 192.168.10.1? so that my my vpn subnet 192.168.10.0/24 can successfully traverse my wan interface.

Again pardon me with my English and kind advise my for additional infos and config details that i must provide a better picture of my network .

Thanks and good day.

GruensFroeschli · Oct 15, 2008, 7:22 AM

The OpenVPN interface is not firewalled.
The virtual OpenVPN interface is treated like a normal interface, just without the firewalling capabilities.

To be able to NAT from the OpenVPN subnet to the internet:
http://forum.pfsense.org/index.php/topic,7001.0.html

jtpagaran · Oct 15, 2008, 1:56 PM

@GruensFroeschli:

The OpenVPN interface is not firewalled.
The virtual OpenVPN interface is treated like a normal interface, just without the firewalling capabilities.

To be able to NAT from the OpenVPN subnet to the internet:
http://forum.pfsense.org/index.php/topic,7001.0.html

Thank for your reply but I still don't understand/analyze the configs/directives that i'm missing.

Do I have mo add a LAN interface alias (192.168.10.1 ) for my openvpn segment or just having advance Nat 192.168.1.0/24 & 192.168.10.0/24 for my LAN & openvpn will suffice? or do I have to do both?

I need to be precise in my configs because my box is running in the production and I dont want to encounter system downtime, that's why I'm analyzing my situation carefully.

Again thank and good day.