• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Additional help in my openvpn setup

Scheduled Pinned Locked Moved OpenVPN
3 Posts 2 Posters 3.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jtpagaran
    last edited by Oct 15, 2008, 7:20 AM Oct 15, 2008, 4:03 AM

    I successfully setup my first openvpn service on our existing pfsense gateway. I followed the openvpn howto's and manage to configure all the necessary directives on both server and test client.

    Here is our network layout:

    internet –------58.71.23.x (wanpfsenselan)192.168.1/0---------internal network 192.168.1.2-254
        openvpn client======58.71.23.x  (wanpfsenselan)  =======(openvpn address pool)192.168.10.0/24

    Since the openvpn documentation suggest that openvpn tunnel must be or best to have a separate address pool so i set 192.168.10.0/24

    Now my client was able to authenticate with my openvpn/pfsense server via ip public wan interface and obtain a random 192.168.10.x,
    My vpn client was able to ping/access all internal server/services on my LAN segment 192.168.1.0/24. I can even access my folder share in my 192.168.1.0/24 LAN segment and quite happy with its initial performance.

    Now I want to push my openvpn/pfsense implementation to next level. To redirect all ssh/web traffic to the vpn tunnel but i'm a bit confuse on what additional directives or firewall rules that must be set to accomplish this task.

    Here is my openvpn config:

    <openvpnserver>- <config><disable><protocol>UDP</protocol>
      <dynamic_ip>on</dynamic_ip>
      <local_port>1194</local_port>
      <addresspool>192.168.10.208/29</addresspool>
      <nopool><local_network>192.168.1.0/24</local_network>
      <remote_network><client2client>on</client2client>
      <crypto>BF-CBC</crypto>
      <auth_method>pki</auth_method>
      <shared_key><ca_cert>xxxx</ca_cert>
      <server_cert>yyy</server_cert>
      <server_key>zzz</server_key>
      <dh_params>blah</dh_params>
      <crl><dhcp_domainname><dhcp_dns>208.67.222.222;208.67.220.220</dhcp_dns>
      <dhcp_wins><dhcp_nbdd><dhcp_ntp><dhcp_nbttype>0</dhcp_nbttype>
      <dhcp_nbtscope><dhcp_nbtdisable>on</dhcp_nbtdisable>
      <use_lzo>on</use_lzo>
      <custom_options>push "redirect-gateway def1";</custom_options></dhcp_nbtscope></dhcp_ntp></dhcp_nbdd></dhcp_wins></dhcp_domainname></crl></shared_key></remote_network></nopool></disable></config></openvpnserver>

    • <openvpncsc>- <config><disable>on</disable>
        <commonname>igvpn-user1</commonname></config></openvpncsc>

    Since I set an additional directive of push "redirect-gateway def1", I seen that my vpnclient route has additional routing that suppose to redirect my traffic to the vpn tunnel.

    My question is since my openvpn address pool is 192.168.10.0/24 and and my LAN segment is 192.168.1.0/24. and my LAN Firewall rules is pass * * * * wan &  pass * 192.168.10/24 * wan. Do I have to have an alias ip on my LAN interface like 192.168.10.1? so that my my vpn subnet 192.168.10.0/24 can successfully traverse my wan interface.

    Again pardon me with my English and kind advise my for additional infos and config details that i must provide a better picture of my network .

    Thanks and good day.

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Oct 15, 2008, 7:22 AM

      The OpenVPN interface is not firewalled.
      The virtual OpenVPN interface is treated like a normal interface, just without the firewalling capabilities.

      To be able to NAT from the OpenVPN subnet to the internet:
      http://forum.pfsense.org/index.php/topic,7001.0.html

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • J
        jtpagaran
        last edited by Oct 15, 2008, 1:56 PM

        @GruensFroeschli:

        The OpenVPN interface is not firewalled.
        The virtual OpenVPN interface is treated like a normal interface, just without the firewalling capabilities.

        To be able to NAT from the OpenVPN subnet to the internet:
        http://forum.pfsense.org/index.php/topic,7001.0.html

        Thank for your reply but I still don't understand/analyze the configs/directives that i'm missing.

        Do I have mo add a LAN interface alias (192.168.10.1 ) for my openvpn segment or just having advance Nat  192.168.1.0/24 & 192.168.10.0/24 for my LAN & openvpn will suffice? or do I have to do both?

        I need to be precise in my configs because my box is running in the production and I dont want to encounter system downtime, that's why I'm analyzing my situation carefully.

        Again thank and good day.

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received