OpenVPN routing windows to access lan on client side of windows

mxracer303 · Apr 9, 2019, 8:13 PM

Hey guys,

I have multiple OpenVPN servers for each customer running on PFSense so they have their own network for there devices. The PFSense is running on Vultr server instance. I have HMI/SCADA software running on windows panel type PCs acting as a web server I use a reverse proxy to point DNS down the VPN tunnel to access the web server, this works well and has no issues. If I connect to one of these OpenVPN servers from my Laptop to access the PLC on the lan I can't get to the lan behind the windows 10 panel PC. I have tried turning off the windows firewall and followed a lot of guides, have IP forwarding enabled on windows and still no luck. Out of interest, I tried it on a raspberry pi and I was able to access everything on the lan, so it is something windows is stopping but I can't figure it out and have spent weeks trying to get it to work. I have tried adding all the remote networks in the OpenVpn config etc whether there is some settings I am missing in PFSense or OpenVPN.

login-to-view

Thanks!

marvosa · Apr 11, 2019, 9:54 PM

@mxracer303 said in OpenVPN routing windows to access lan on client side of windows:

If I connect to one of these OpenVPN servers from my Laptop to access the PLC on the lan I can't get to the lan behind the windows 10 panel PC.

Correct, because a Windows PC is not a router and it will not route traffic by default.

You will need to do three things:

Tell PFsense what LAN subnets are behind each client via client specific overrides (VPN -> OpenVPN -> Client Specific Overrides)
Enable IP routing on each PC.
Add a static route on the remote-end edge firewall telling it that traffic destined for the LAN behind PFsense needs to be routed thru the Windows 10 PC.

The real question is... why are you trying to implement this workaround instead of doing it the right way by creating a site-to-site tunnel with the edge firewall at each location?

mxracer303 · Apr 11, 2019, 5:13 AM

Hi marvosa,

I have already tried the client specific overrides without any success, the client specific overrides worked fine with the raspberry pi but just not windows.

I have enabled IP routing on each PC also, so I'm now out of ideas.

The problem is the remote sites are on the mobile network so no way to have a static IP address for the server side. The other reason I am doing it this way is I also have SCADA web server running on the windows Panel PC which I point reverse proxy to the VPN tunnel and DNS so the customer can view the SCADA remotely and can access simply by typing web address such as example.mydomain.com and this access the web server. This side of things works well and haven't had any issues. I'm no network expert by any means so I don't know the right way of doing it. I just now need access to the LAN to make changes to the PLC or any other devices on the network and for maintenance reasons. There must be a way to achieve this via windows, If Linux raspberry pi can do it surely there must be a way with windows.

rawla · Apr 11, 2019, 7:05 AM

Hi @mxracer303 if you find how to work this out i am happy to know

stephenw10 · Apr 11, 2019, 3:35 PM

You could probably just RDP to the remote Windows box and then do whatever you need from there.

Steve

mxracer303 · Apr 11, 2019, 8:52 PM

Hi @stephenw10

I have the engineering licensed software running on my laptop, will this create a tunnel that allows me to gain access to the LAN? I don't think it will work as a remote desktop just displays the remote screen, would mean I need to install programming software onto the panel PC which I can't do as It doesn't have enough resources for the requirements of the programming software.

marvosa · Apr 11, 2019, 9:56 PM

@mxracer303 said in OpenVPN routing windows to access lan on client side of windows:

I have already tried the client specific overrides without any success, the client specific overrides worked fine with the raspberry pi but just not windows.
I have enabled IP routing on each PC also, so I'm now out of ideas.
The problem is the remote sites are on the mobile network so no way to have a static IP address for the server side. The other reason I am doing it this way is I also have SCADA web server running on the windows Panel PC which I point reverse proxy to the VPN tunnel and DNS so the customer can view the SCADA remotely and can access simply by typing web address such as example.mydomain.com and this access the web server. This side of things works well and haven't had any issues. I'm no network expert by any means so I don't know the right way of doing it. I just now need access to the LAN to make changes to the PLC or any other devices on the network and for maintenance reasons. There must be a way to achieve this via windows, If Linux raspberry pi can do it surely there must be a way with windows.

My apologies, I forgot to add the last step, which is adding a return route on the edge device at the remote end. In other words, on the remote-end, you need to add a static route on the edge firewall that sends traffic destined for the LAN behind PFsense to the Windows 10 PC's.

What's happening is the Windows 10 PC's have no idea where the PFsense LAN is, so return traffic is sent to the default gateway (remote-end edge firewall) and the traffic is dropped because the remote-end firewall does not have an entry for the PFsense LAN in it's routing table.

Once the static route is added at the remote-end, you should be able to access the PLC.

I added the last step to my previous post.

mxracer303 · Apr 11, 2019, 9:56 PM

Hi @marvosa

I have looked on the windows 10 firewall on the end devices and can not see a way to add a static route. Do you have a guide or example on how to achieve this?
There is no physical Lan on the PFSense side, just a VLAN I created to try to replicate a LAN. I may have configured this and OpenVPN wrong. I haven't been using this VLAN at the moment.
I would have thought being connected to VPN Server from 2x separate PCs clients the data would automatically be routed through the VPN tunnel, I obviously have the wrong understanding of how the VPN is working.
This is all pretty new to me so still learning all this and networking stuff.

Thanks for your help

stephenw10 · Apr 11, 2019, 10:14 PM

Mmm, well Windows routing is outside my remit, I imagine it's possible....
A million years ago I ran Winroute on a Win2K box. It was a terrible experience!

Steve

mxracer303 · Apr 11, 2019, 10:23 PM

Hi @stephenw10

It seems winroute is no longer in use and Is now a firewall software.
What do you think about this https://www.nat32.com/ possibly having it installed on the windows panel pc

Pippin · Apr 11, 2019, 10:49 PM

route -p ADD <destination_ip> MASK <netmask> <gateway_ip>

mxracer303 · Apr 11, 2019, 10:55 PM

Hi @Pippin so let me get this correct, the destination IP will be the IP of the PLC on the LAN or put the IP of the whole LAN such as 192.168.2.1? as for the gateway IP is this gateway of the windows panel PC or gateway IP of PFSense VLAN?

marvosa · Apr 11, 2019, 11:50 PM

@mxracer303 said in OpenVPN routing windows to access lan on client side of windows:

I have looked on the windows 10 firewall on the end devices and can not see a way to add a static route. Do you have a guide or example on how to achieve this?
There is no physical Lan on the PFSense side, just a VLAN I created to try to replicate a LAN. I may have configured this and OpenVPN wrong. I haven't been using this VLAN at the moment.
I would have thought being connected to VPN Server from 2x separate PCs clients the data would automatically be routed through the VPN tunnel, I obviously have the wrong understanding of how the VPN is working.
This is all pretty new to me so still learning all this and networking stuff.

When I referenced the "edge firewall", I was referring to the device protecting the network on the remote-end, not the windows PCs. The presumption is that the Windows PCs are on a completely separate internet connection that is protected by a firewall. The firewall protecting the remote network is where the static routes need to go. If you do not have access to the firewall on the remote end, the workaround is to put the static route on the endpoint device you're trying to connect to. In your case, it's the PLC, not the Windows PC.

In your diagram, it looks like the Engineering laptop is on the PFsense LAN. Is that an incorrect assumption? If so, please add clarity to the diagram.

@Pippin said in OpenVPN routing windows to access lan on client side of windows:

route -p ADD <destination_ip> MASK <netmask> <gateway_ip>

This is the correct syntax for adding a route on a windows PC. However, the above command would only be routing one host and you typically want to route an entire network here... i.e.:

route -p ADD <destination_network> MASK <netmask> <gateway_ip>

@mxracer303 said in OpenVPN routing windows to access lan on client side of windows:

Hi @Pippin so let me get this correct, the destination IP will be the IP of the PLC on the LAN or put the IP of the whole LAN such as 192.168.2.1? as for the gateway IP is this gateway of the windows panel PC or gateway IP of PFSense VLAN?

Not quite. Remember this is going on the endpoint device at the remote-end, so In your situation, the <destination_network> would be the LAN behind the OpenVPN server (PFsense). The <gateway_ip> would be the nearest router that knows how to get to the other end of the tunnel. In your case, the nearest router would be the Windows 10 PC.

For clarity, the above commands would apply if you were trying to connect to another windows PC behind the Windows 10 PC. It doesn't go on the Windows 10 PC using the OpenVPN client because that device already has a route back to the server. The static routes being mentioned would need to go on the PLC... if the device supports it.

mxracer303 · Apr 12, 2019, 12:09 AM

@marvosa The laptop connects to the same OpenVPN server as the Panel PC client is connecting to. There is currently no LAN setup on the server side in PFSense. I have just used push routes in the OpenVPN configuration. Should I add local LAN in the client-specific overrides as well on both clients, my laptop and the panel PC?
There is no external firewalls or anything on the remote site when I'm using internally built-in 4G LTE module on the panel pc. Sometimes I connect into existing Internet connection but don't have any access to configure router or firewalls etc
I have no way to add static routes on the PLC, I can only give the PLC a static IP address. Would running RouterOS on the panel PC allow the required settings and configuration to route VPN Tunnel out to the LAN the PLC is on?
So I take it there is no way to route the OpenVPN tunnel Network to the Local LAN Network?
It seems I have really got myself into the deep end. There is a device called Ewon that's based off OpenVPN and they are used to connect to PLC and networks remotely. I take it my bottleneck and issue is using windows which doesn't give much flexibility

mxracer303 · Apr 16, 2019, 4:03 AM

I have still been at this with no success. I have attached the routing table. Gone over all the OpenVPN configurations again and again and all documentation, have all the push routes and routes and Iroutes all set. It seems it's just not possible to do with windows. Does anyone have any other ideas I can try? seems I am just running into a dead end. The 192.168.16.4 Is the tunnel IP and the 192.168.0.0 network is the local lan and the 192.168.1.0 is the wifi network login-to-view

stephenw10 · Apr 16, 2019, 8:59 PM

If you're routing traffic between OpenVPN clinets the OpenVPN daemon at the server will need to know what subnets are behind which clients in order to send that traffic to them. You would do that using client specific overrides in pfSense.

The PLC will need to be using the panel PC as it's gatrway in order to have a route back to the client laptop unlesss you are NATing the traffic leaving Windows but.... I have no idea on that!

Steve

mxracer303 · Apr 16, 2019, 8:59 PM

Hi @stephenw10 I am already using the client-specific overrides in PFSense. I have the subnets under ipv4 remote networks, the only thing I don't quite understand the Note as there is no option to add those subnets in the server settings. In the server settings, I have added route and the subnets and the push route and the subnets which I would suspect that's what it is referring to.

"These are the IPv4 client-side networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed."
"NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings."

From the picture, you can see the LAN has been set with static IP and mask and the gateway set to 192.168.0.0 so I would suspect that would provide the gateway?

mxracer303 · Apr 16, 2019, 10:21 PM

This is what I get when I try to ping the PLC from PFSense. Note I have now changed the IP address range to 192.168.2.10 just to make sure there were no conflicts etc so above routing table is not valid now.

PING 192.168.2.10 (192.168.2.10): 56 data bytes
92 bytes from 192.168.16.4: Redirect Network(New addr: 192.168.16.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 3a2a 0 0000 3f 01 ae23 192.168.16.1 192.168.2.10

92 bytes from 192.168.16.4: Redirect Network(New addr: 192.168.16.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 ef17 0 0000 3f 01 f935 192.168.16.1 192.168.2.10

92 bytes from 192.168.16.4: Redirect Network(New addr: 192.168.16.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 3886 0 0000 3f 01 afc7 192.168.16.1 192.168.2.10

--- 192.168.2.10 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

stephenw10 · Apr 16, 2019, 10:38 PM

What is 192.168.16.4? And 192.168.16.1?

mxracer303 · Apr 16, 2019, 11:03 PM

@stephenw10 192.168.16.4 is the VPN Tunnel IP address and the 192.168.16.1 is the tunnel gateway IP