Configure pfSense as a VPN Concentrator?



  • Dear All,

    I am new to the pfSense world and I was checking since I need, among the other needs involving the potential use this solution,
    to setup a VPN concentrator.
    I did not find any specific thread on this topic (pfSense as a VPN concentrator), apart of something about connecting pfSense to
    already existing, commercial VPN Concentrators.

    Probably I was just unable to find the right thread, I apologise if this is the case.

    Anyway: is it possible to configure pfSense as a VPN concentrator for creating VPN tunnels through different sites and connect them?
    Could you please forward me to the right thread / discussion on this matter, if it exists?

    Thank you very much.

    Giovanni


  • Galactic Empire

    Are you talking about customers connecting to your equipment via a VPN client to access resources on your network like a Cisco 3000 ?

    Something like this is your best bet IMO combined with FreeRadius, then firewall rules based on IP addresses handed out via FreeRadius :-

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    https://forum.pfsense.org/index.php?topic=130715.0

    https://forum.pfsense.org/index.php?topic=141928.msg774115#msg774115

    https://forum.pfsense.org/index.php?topic=129443.0



  • @NogBadTheBad:

    Are you talking about customers connecting to your equipment via a VPN client to access resources on your network like a Cisco 3000 ?

    Something like this is your best bet IMO combined with FreeRadius, then firewall rules based on IP addresses handed out via FreeRadius :-

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    https://forum.pfsense.org/index.php?topic=130715.0

    https://forum.pfsense.org/index.php?topic=141928.msg774115#msg774115

    https://forum.pfsense.org/index.php?topic=129443.0

    Hi,
    first of all, many thanks for the answer.
    What I am actually looking at, is the possibility to configure the pfSense server itself as the VPN Concentrator, rather than using an external one.
    Like e.g. in a typical  Hub & Spoke scenario, see for example this configuration: https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015538&lang=EN
    So the pfSense server would be the Hub and different clients from different sites, say A and B, can connect to the Hub (pfSense) or with each other through the central Hub,
    always using VPN tunnels.
    Is that possible to realise such a configuration in pfSense?

    Actually this is something like what you suggested here: https://forum.pfsense.org/index.php?topic=141928.msg774115#msg774115 , but further to the possibility to connect to my equipment or to the Internet through my VPN, I want also to allow client on site A to communicate with client on site B passing through my pfSense concentrator.

    Thank you!


  • Galactic Empire

    Might be best to set up a few hosts using VMWare and have a play.

    As well as my previous suggestions you can create IPsec tunnels between various devices and route traffic across those tunnels in a hub & spoke style.


  • LAYER 8 Global Moderator

    Yes pfsense can be a vpn server for road warriors, or a client to different vpn services.  Or sure you can setup site to site vpn services between your locations.

    Normally you would not setup hub and spoke sort of setup for multiple sites but a full mesh… With all sites having vpn connections to each other.. Its rather pointless for traffic to say flow through HQ just to go to branch B from A... Why would the traffic not just flow direct from branch A to B via the vpn between them.

    But sure if you really want you can have the traffic flow through HQ to get to B from A, etc.

    You can have your road warrior connect into any of the sites and be able to get to any of the other sites, etc.. Any of that can be done - just need to configure it.



  • Thank you all. These answers clarify many things.
    I wanted to be sure but in principle, as far as I can understand, they confirm I can configure pfSense in whatever VPN topology I want.

    I'll start studying and configuring.

    Giovanni


  • Galactic Empire

    @giovantus:

    Thank you all. These answers clarify many things.
    I wanted to be sure but in principle, as far as I can understand, they confirm I can configure pfSense in whatever VPN topology I want.

    I'll start studying and configuring.

    Giovanni

    Enjoy :D



  • Hi All,

    now  I was able to configure a VPN IPSec tunnel between local and remote sites with pfSense.
    From the VPN point of view everything seems to be fine, since I managed to have the "connected" status of the configured VPN
    But I have a couple of questions to get the actual site-to-site communication working (I still have some troubles).

    In the attached picture is my network setup: Local LAN -> PfSense -> Zywall Router -> Remote Site

    Remote VPN clients LAN: 172.16.16.0/24.
    Local VPN clients LAN: 10.0.0.0/24.
    IP of the pfSense LAN Interface: 10.0.0.1 (default GW of the local LAN)
    IP of the pfSense WAN interface: 192.168.0.51

    Local and Remote subnets described above are properly configured in the IKE Phase 2 settings.
    The remote LAN is served by the a remote endpoint with public IP e.g. 80.80.80.80, configured as the Remote Gateway in the IKE Phase 1 settings.

    The pfSense WAN interface with IP 192.168.0.51 is connected to a Zywall USG50 router(IP 192.168.0.254), configured as the WAN Gateway of the pfSense.
    The WAN IP of the pfSense is NATTED to a public IP e.g 220.220.220.220 by the Zywall.

    Despite to the fact that the VPN IPSec seems to be configured properly as I said, I think there are still some bits missing from the networking point of view,
    for being able to ping the remote clients

    Thank you in advance, any help will be highly appreciated.




  • Just to provide some more detailed information.

    After the VPN is connected as described, both from the pfSense server console and from any client in the LAN 10.0.0.0/24 I can access the Internet, being able to ping both the Zywall interface to which the pfSense WAN belongs (192.168.0.254) and any other site, such as google.it.

    But when I try to ping one IP of the remote VPN side (172.16.16.122 for example), this does not work.

    I managed to have this ping to the remove VPN client working only from within the pfSense console, after changing the "Local Network" settings in the IKE Phase 2 configuration, from "Local subnet" to "Network" with address "0.0.0.0/0".

    It looks like there are still some kind of firewall issues preventing an IP in the subnet 10.0.0.0/24 to properly communicate throught he VPN.
    I've already firewall rules completely open for WAN, LAN and IPSec. I've also noticed that there is an Automatic Outbound NAT generated, from the LAN subnet to the WAN IP of the pfSense (192.168.0.51).

    What am I missing to have client-to-client VPN communication in place? Maybe some kind of port forwarding from the WAN to the LAN, for the IPSec ports?


Log in to reply