pfsense Openvpn behind existing network

blepas

Hi, can anyone help me please? I want to install a pfsense openvpn server into an existing network without touching it.
Existing network is very basic, Internet router + routed firewall (2 nic) + LAN
I want to put the pfsense into the LAN and give access to remote users. Is it possible?

Thanks.

viragomann

Yes, however if you do not run the VPN server on the default gateway you have some extra work to get the routing working:

If you don't care about the origin source address to be able to determine the VPN user on the destination device, you may set an outbound NAT rule on pfSense, which translates source addresses in packets from a VPN clients to a LAN devices to the pfSense LAN address.

If you want to see the origin source addresses on the destination devices you have to set a static route on each device you want to reach directing packets destined to the VPN tunnel network to pfSense.
Otherwise the packets are sent to the default gateway and you get no communication.

blepas

oh! perfect, I need 1st point... you mean I have to define an outbound NAT choosing :

Edit Advanced Outbound NAT Entry:

• LAN interface?
• Protocol Any
• source: Any ?
• dest: lan network ?

Translation:
address: Interface Address

thanks!!

Gertjan

Outbound ?
No way.

Your pfSense setup with the VPN server doesn't need any special setup.

The upstream router** need a simple NAT rule : WAN side port 1193 address any, LAN side : port 1193, address ... the WAN IP of your pfSense. Protocol : UDP.
The most basic NAT rule on the planet ;)

** you got the : the works need to be done on the router in front of pfSense.

viragomann

@blepas
Exactly. If your pfSense only does the OpenVPN connections, otherwise you may restrict the source to the OpenVPN tunnel network.

Don't forget to set the Outbound NAT into the manual mode.

viragomann

However, the modification on the upstream router (NAT / forwarding) as @Gertjan suggested is also needed, of course.

Gertjan

I guess I'm not using something the right way then ?

This is what I have :
@viragomann said in pfsense Openvpn behind existing network:

Don't forget to set the Outbound NAT into the manual mode.

Never ever visited that page before .... mine is on "auto".
I do have a OpebVPN server so I can remote login.
I do have a ISP router in front of my pfSEnse, so I had to nat 1193/UDP through it..

I miss something ?

viragomann

@Gertjan said in pfsense Openvpn behind existing network:

I miss something ?

If the OpenVPN server (pfSense) is the default gateway on the devices you want to reach from VPN clients, nothing.
But as I understood the TO, his ISP router should stay the default gateway in his LAN.

blepas

Solved:

Edit Advanced Outbound NAT Entry:

LAN interface
Protocol Any
source: Any
dest: lan network

Translation:
address: Interface Address

wofks perfect!
Thanks!