Pfsense as openvpn client



  • I just replaced my home router (openwrt based) to pfsense, I have managed to configure it successfully, however I ran into some minor issues with openvpn. I can managed it to connect to another openvpn server (which also running on pfsense in my office). I can ping from pfsense box at home to pfsense box in the office thru VPN, however the client behind my home pfsense box cannot ping to the private IP located in the pfsense server.

    On openwrt router I need to enable IP forwarding/masquerading to achieve this, and I have managed to sucessfully routed machines behind the openwrt box to machines behidn pfsense box in the office.

    On the firewall tab I already create rule any to any in LAN and openvpn interface. What am I missing?



  • @tesna:

    On openwrt router I need to enable IP forwarding/masquerading to achieve this

    That is only necessary if one of the vpn endpoint is not the default gateway.

    On pfSense that can be achieved by an outbound NAT rule. Hybrid or manual rule gen. must be activated.



  • @viragomann:

    That is only necessary if one of the vpn endpoint is not the default gateway.

    On pfSense that can be achieved by an outbound NAT rule. Hybrid or manual rule gen. must be activated.

    yes, I did configure the vpn server to not make the vpn as the default gateway. Instead I push routes for the IP/networks I want to access thru VPN manually in the server configuration.

    Can you guide me to the right direction? I tried to configure the outbound NAT rule but so far no luck.

    here's my route on the pfsense

    
    [2.4.2-RELEASE][admin@pfSense.localdomain]/root: netstat -r
    Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            192.168.0.254      UGS        bge0
    10.0.2.0/24        10.0.102.1         UGS      ovpnc1
    10.0.4.0/24        10.0.102.1         UGS      ovpnc1
    10.0.7.0/24        10.0.102.1         UGS      ovpnc1
    10.0.102.0/24      10.0.102.1         UGS      ovpnc1
    10.0.102.1         link#11            UH       ovpnc1
    10.0.102.3         link#11            UHS         lo0
    10.232.0.4         192.168.0.254      UGHS       bge0
    50.subnet118-98-44 192.168.0.254      UGHS       bge0
    245.subnet125-160- 192.168.0.254      UGHS       bge0
    localhost          link#3             UH          lo0
    192.168.0.0/24     link#1             U          bge0
    192.168.0.2        link#1             UHS         lo0
    192.168.5.0/24     link#7             U        bge1.1
    pfSense            link#7             UHS         lo0
    192.168.6.0/24     link#9             U       bge1.20
    192.168.6.250      link#9             UHS         lo0
    192.168.8.0/24     link#10            U       bge1.30
    192.168.8.250      link#10            UHS         lo0
    192.168.88.0/24    link#8             U       bge1.10
    192.168.88.250     link#8             UHS         lo0
    
    

    I can ping hosts behind the VPN server from the pfsense box

    
     ping 10.0.2.2
    PING 10.0.2.2 (10.0.2.2): 56 data bytes
    64 bytes from 10.0.2.2: icmp_seq=0 ttl=63 time=7.426 ms
    64 bytes from 10.0.2.2: icmp_seq=1 ttl=63 time=7.026 ms
    64 bytes from 10.0.2.2: icmp_seq=2 ttl=63 time=6.526 ms
    64 bytes from 10.0.2.2: icmp_seq=3 ttl=63 time=6.922 ms
    ^C
    --- 10.0.2.2 ping statistics ---
    4 packets transmitted, 4 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 6.526/6.975/7.426/0.320 ms
    
    

    but not from the client behind the pfsense box…. I even cannot ping the openvpn interface from the LAN.



  • You misunderstood. The point is if the pfSense boxes are the default gateways in the LANs behind. On both sites.
    IP packets to the remote network are routed to the default gateway, as long there is no special route set for it on the sending computer.

    If both boxes are the default gateways in their LAN networks there's no NAT rule needed. Just set the options "IPv4 Local Network/s" and "IPv4 Remote Network/s" correctly on both, server and client.



  • @viragomann:

    You misunderstood. The point is if the pfSense boxes are the default gateways in the LANs behind. On both sites.
    IP packets to the remote network are routed to the default gateway, as long there is no special route set for it on the sending computer.

    If both boxes are the default gateways in their LAN networks there's no NAT rule needed. Just set the options "IPv4 Local Network/s" and "IPv4 Remote Network/s" correctly on both, server and client.

    both pfsense boxes (the openvpn server and the client) is the default gateways of each local LAN. This is why I am very confused, the routes already displayed in the routing table of the pfsense openvpn client, and can ping from the pfsense box, but somehow the machine behind it cannot ping to VPN networks.

    If I did traceroute to vpn subnet or even the vpn gateway IP form the LAN interface:

    
    C:\Users\thasan>tracert 10.0.2.2
    
    Tracing route to 10.0.2.2 over a maximum of 30 hops
    
      1    <1 ms    <1 ms     1 ms  192.168.8.254 (pfsense box)
      2     1 ms     1 ms     1 ms  192.168.0.254 (ISP router, cannot turn off NAT/enable bridge mode)
      3     1 ms     1 ms     1 ms  x.x.x.x (public IP gateway of the ISP)
      4  x.x.x.x  reports: Destination host unreachable.
    
    Trace complete.
    
    

    It should not routed to the WAN interface, right? I am pretty sure the problem is in the pfsense openvpn client side, as I did not change any configuration on the server side and openvpn client on openwrt router able to route the traffic just fine.

    However, last night I tried to playing around with outbound NAT, manually creating openvpn interface, adding the openvpn gateway, and creating rules the firewalls (so traffic to destination on behind the pfsense server is routed thru openvpn interface), finally the client behind the pfsense box able to ping the openvpn server side networks.

    Is this the correct way to do it? seems bit more complicated.



  • Of course, the packets should be routed to the vpn server.

    However, the traceroute shows the packets are directed to 192.168.8.254 from the source device, while according to the routing table above 192.168.8.250 is the pfSense LAN IP.
    ???
    What's the real LAN IP now?



  • @viragomann:

    Of course, the packets should be routed to the vpn server.

    However, the traceroute shows the packets are directed to 192.168.8.254 from the source device, while according to the routing table above 192.168.8.250 is the pfSense LAN IP.
    ???
    What's the real LAN IP now?

    sorry for the confusion, I did change the pfsense LAN IP to *.254 from *.250 since I finally managed to get it working (albeit a bit complicated) so I can finally shut down my openwrt router. I have several VLAN set up in the pfsense (management interface, trusted, guest, iot) and all pfsense LAN :

    my topology is something like this:

    WAN pfsense home (192.168.0.2) ==> connected to the ISP router

    few vlans in the 192.168.x.0/24 subnet (management, trusted, guest, iot)

    all client on the VLAN interface can browse the internet fine and all interface currently have any to any except for the IOT

    WAN pfsense office (pubic IP)

    and also has few VLANs, in the 10.0.x.0/24 subnet

    subnet for openvpn interface is in 10.0.102.0/24

    I managed to get it work after I followed https://forum.pfsense.org/index.php?topic=29944.0 and modified according to my needs so only routes to VPN tunnel based on the destination IP/network and working good so far :) Not sure this is the correct way to do it but it's working. More configuration needed (usually only configure the client config file in the openvpn server), now I need to also configure few firewall rules for in the openvpn client end (in addition to configure the outbound NAT)

    The odd thing is, if I traceroute from office lan side to internal network it does pass thru openvpn lan interface and I dont need to configure anything on the firewall openvpn server side.

    
    C:\Users\thasan>tracert 192.168.5.201
    
    Tracing route to 192.168.5.201 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  10.0.7.254
      2     6 ms     6 ms    11 ms  10.0.102.3
      3    12 ms    16 ms    10 ms  192.168.5.201
    
    

    whereas if i traceroute from the other side it ommits the pfsense LAN IP and goes directly to the openvpn interface

    
    traceroute 10.0.7.10
    traceroute to 10.0.7.10 (10.0.7.10), 30 hops max, 38 byte packets
     1  10.0.102.1 (10.0.102.1)  7.177 ms  5.878 ms  6.333 ms
     2  10.0.7.10 (10.0.7.10)  6.048 ms  *  6.322 ms
    
    

    I am happy now :), but just wondering is this the correct way to do it


Log in to reply