Pfsense only OpenVPN Server with only single interface WAN

n1tr0666 · Jul 25, 2018, 7:33 PM

Sorry but i'm very confuse… :-(

If I give you access to you on my PFSENSE WEB interface on Google cloud can you help me ?

viragomann · Jul 25, 2018, 7:38 PM

I'm not familiar with Google cloud. Is there a virtual environment with an internet gateway, where you're able to add virtual network interfaces and internal networks?

If that is not possible take another solution.

n1tr0666 · Jul 25, 2018, 7:44 PM

I have only network card on my pfsense VM with google cloud.

Google cloud NAT public IP directly on private IP.

Can access to PFSENSE WEB with public IP and WAN IP in console is private IP

I install PFSENSE with this guide … https://blog.kylemanna.com/cloud/pfsense-on-google-cloud/

for other method can you explain more please ?

viragomann · Jul 25, 2018, 7:57 PM

The crux of the matter is the gateway here for this solution. If you cannot configure it, that won't work.

So let's try the NAT solution.
That is assuming that all settings are like you wrote in your first post here.
For this one you have to enable the Outbound NAT in the pfSense web-GUI. Firewall > NAT > Outbound. Select the hybrid mode and save that.
Add a new rule:
Interface: WAN
Source: any
Destination: 10.142.xx.xx/20 (the Google Cloud local network)
Translation address: Interface address

That should work if the vpn is configured correctly.

n1tr0666 · Jul 25, 2018, 8:47 PM

Thx it's work now ! :-)

CoyoteKG · Jul 25, 2018, 9:24 PM

Hello,
I'm new with pfsense, and for now I need it only because OpenVPN.

I installed it to some cloud, also only with one interface for wan.
Because there is no possibility on that hosting to put few servers in the same vlan, I wan't to try with OpenVPN.

Is it possible only with bridging? I googled so much these days, and found only this 6 years old guide
https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/
but it seems like it is obsolete.
Also in netgate documentation there is this link
https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-bridging.html
which also not works because it is "irrelevant" for current pfsense version.

Can you direct me how to make possible to put different cloud standalone servers to the same vlan?

viragomann · Jul 25, 2018, 10:13 PM

There should exist smaller solutions for OpenVPN only.

You can get access by a transit network and routing if you have access to the default gateway, as already mentioned here. Or by adding a route to each remote device you want to reach or by NAT.

Also by bridging, in theory, but my experience tells me, that you will not get much support here for bridged openVPN, but you may try a new thread.
I can't help.

grante · Aug 7, 2018, 12:58 PM

@majinb_igor

Hi I am trying to do the same thing, could you share a screenshot of younnat config for this?

Thanks

CoyoteKG · Aug 8, 2018, 8:51 AM

Hello, I succeeded to setup on cloud with one WAN openvpn and connect devices from different places to one network.

ISP is Hetzner.

This is the configuration if someone need. Mostly done via Wizards, with small corrections afterwards.
Still need a little bit to harden firewall.

n1tr0666 · Aug 21, 2018, 12:44 AM

Hello again ! :-)

I'm setup PFSENSE (1 WAN nic) on google cloud with 6 pfsense (client) connected site-to-site, all client can PING my google cloud network 10.142.x.x/20

But when connect to my server on my google cloud 10.142.x.4 i'm can't PING my local network client ….

If i'm connect on pfsense GUI (server-side) 10.142.x.7 and make PING test on my internal local client 10.10.5.249 it's WORK !!!!

pfsense server 10.142.0.7
google cloud server 10.242.0.4

pfsense client 10.10.5.1
Workstation client 10.10.5.249

ping from 10.10.5.249 to 10.142.0.7 ---- WORK
ping from 10.10.5.249 to 10.142.0.4 ---- WORK

ping from 10.142.0.7 to 10.10.5.249 ----- WORK
ping from 10.142.0.4 to 10.10.5.249 ----- FAIL

Traffic fail on one side … can you help me whit my route table please….

THX !!!!

viragomann · Aug 21, 2018, 10:24 AM

@n1tr0666 said in Pfsense only OpenVPN Server with only single interface WAN:

I'm setup PFSENSE (1 WAN nic) on google cloud with 6 pfsense (client) connected site-to-site

6 site-to-site clients are connected to a single server? With CSO?

@n1tr0666 said in Pfsense only OpenVPN Server with only single interface WAN:

ping from 10.142.0.4 to 10.10.5.249 ----- FAIL

You have to tell the cloud server where to go to reach 10.10.5.249. Add a static route to it for the network of 10.10.5.249 and direct it to pfSense 10.142.0.7.

n1tr0666 · Aug 21, 2018, 8:00 PM

Hello,

All client can ping 10.142.0.x but FAIL from other side ….

When ping from 10.142.0.4 (Windows 2016) to any pfsense client it's fail :-(

If i'm log in pfsense server GUI 10.142.0.7 and test ping to 10.10.5.249 it's only work with OPENVPN interface if I choose WAN it's fail….

See images in this link for more informations …..

https://cloud.ordivert.net/index.php/s/ubEciIGkjNlz3lB

Where add static route in pfsense server or directly in google cloud interface ???

Because my Windows 2016 server VM on google (10.142.0.4) ogtain DHCP automatic and use 10.142.0.1 for Gateway. Can add route directly in my Windows 2016 ? do you have demo route for me ?

Thx!

viragomann · Aug 21, 2018, 9:55 PM

@n1tr0666 said in Pfsense only OpenVPN Server with only single interface WAN:

If i'm log in pfsense server GUI 10.142.0.7 and test ping to 10.10.5.249 it's only work with OPENVPN interface if I choose WAN it's fail….

Seems that the client is missing the route to your google cloud network.

n1tr0666 · Aug 21, 2018, 10:35 PM

What do you means ?

viragomann · Aug 21, 2018, 11:16 PM

On the client you have to set the route to the 10.142.xx.xx/20 network.
In pfSense GUI enter the network into the "Remote network/s" box.

n1tr0666 · Aug 21, 2018, 11:17 PM

on the client ?

client can ping google cloud VM

but

google cloud VM cannot ping client

viragomann · Aug 21, 2018, 11:24 PM

Again the question:
All 6 site-to-site clients are connected to a single server? If yes, have you added CSO?

n1tr0666 · Aug 21, 2018, 11:25 PM

Yes all 6 pfsense client is connected to same pfsense server (10.142.0.7)

CSO ?

viragomann · Aug 21, 2018, 11:28 PM

You find it in the GUI: VPN > OpenVPN > Client specific overrides
It's necessary to tell the server into which tunnel the packets have to be routed.

CSO only work in conjunction with TLS Auth (a unique certificate for each client).

n1tr0666 · Aug 21, 2018, 11:33 PM

Yes ! already setup it !!!!

My error it's maybe that my Windows 2016 server 10.142.0.4 have Gateway 10.142.0.1 but my pfsense server is 10.142.0.7

In my Windows 2016 … if add static route like the server ignore this rules ….

route add 10.10.5.0 mask 255.255.255.0 10.142.0.7

and cannot find option in google cloud for it and if i'm configure static ip on my google cloud VM (Windows server) I cannot reach vm after, only work in DHCP.