Static routing for internal Openvpn server
-
Hi
In order to emulate an already existing network, but with a pfsense gateway device, I am mandated to have an internal openvpn server on the LAN network, sitting behind the pfsense gateway.
Im having trouble defining routes for the openvpn subnets to route to the openvpn server.
On the existing network I'm trying emulate, I can simply create static routes to the openvpn server like so:10.8.0.0/24 via 192.168.2.42 dev eth0 proto static metric 5 onlink
10.9.0.0/24 via 192.168.2.42 dev eth0 proto static metric 5 onlink
10.10.0.0/24 via 192.168.2.42 dev eth0 proto static metric 5 onlink
(192.168.2.42 being the openvpn server, 10.XXXX are the networks the openvpn server makes for the users logging in.)Please how can I do this in pfsense?
-
Routing the packets from one LAN device to the OpenVPN server in LAN won't work. You will get an asymmetric routing.
Put the OpenVPN server into a transit network, connected to pfSense. Then add the servers IP as a gateway in System > Routing and add static routes for the tunnel subnets pointing to that gateway.
-
Please can you explain how to put the OpenVPN server in a transit network? Does this mean it has to be on a different subnet from any that is defined on the pfsense router?
-
Yes. You may also realize that by a VLAN on your existing LAN cable. But if the vpn server has a LAN IP request from vpn clients to LAN devices will be sent directly to the the devices, while the LAN devices will sent their responses to the default gateway.
In addition you also need to add a route to the vpn server for the LAN network pointing to pfSense, of course.
Another way to resolve that is to add an static route for the vpn tunnel to each LAN device you want have access.