OpenVPN for remote acces



  • At my business we have two physical separate locations each of them running PFSense firewall. I have OpenVPN site-to-site enabled where in place A I have the domain controller, windows server and all the data base. Place B acts as OpenVPN client and is connected to place A in order to get acces to the LAN, domain, etc..

    I need to enable a VPN connection for a few restricted users so they can get into the LAN network from their home, and not sure if I should set up this VPN connections through PFSense or Windows itself, since the PFSense OpenVPN in place A is already set as server for site-to-site connection.

    Also this VPN connections should be done with active directory credentials stored in place A domain controller.

    Thanks


  • LAYER 8 Global Moderator

    Pfsense can run multiple vpn connections at the same time, be it site to site, road warrior, client, etc..

    Sure you can auth your vpn users to your AD if you so desire.



  • So just to be sure, I have to set up an other OpenVPN Server with Radius that is included in Active directory? or a road warrior? The main thing is I dont want to add the user's that will be able to acces to the VPN in PFSense's user manager, I'd like to handle that from the Active Directory. Also, the openvpn clients will have to install always the package exported from PFSense?, no way to do that from windows VPN client machine?.

    Thanks


  • LAYER 8 Global Moderator

    Windows vpn machine?  You mean run your vpn software on windows machine behind pfsense?  To access what exactly?  That server running the vpn, or other stuff on the network?  You run into asymmetrical routing problems when you try and run a vpn server on the network your trying to access without natting, etc.

    It really is couple of clicks to setup openvpn – just run the wizard and follow the bouncing ball.  Use of the openvpn client is really simple, and can use on your IOS or Android phones even..



  • The idea that the network's administrator are able to get into the LAN without having to download any package from PFSense and using their active directory's credentials. As if you go to network administrator in windows, add the VPN connection and just put the external IP and their AD user/password.


  • LAYER 8 Global Moderator

    Its a bit more complicated that that if the box your vpn into is on the actual lan, so unless you nat the inbound connections you will have asymmetrical routing issues.

    Also having to add the client and the certs that allow access is also a more secure connection than just having to know a username and password to get in..  Thought you said this was a handful of users?  If so then deployment of the client and the info needed to connect is really simple..



  • The PFsense is connected both to WAN ISP provider and network Lan, yes it's just a handful of users (2-3 max). What you mean with asymetrical routing isues?, I already have a site-to-site OpenVPN that links 2 lans located in different places and works great.


Log in to reply