pfsense Openvpn behind existing network



  • Hi, can anyone help me please? I want to install a pfsense openvpn server into an existing network without touching it.
    Existing network is very basic, Internet router + routed firewall (2 nic) + LAN
    I want to put the pfsense into the LAN and give access to remote users. Is it possible?

    Thanks.



  • Yes, however if you do not run the VPN server on the default gateway you have some extra work to get the routing working:

    If you don't care about the origin source address to be able to determine the VPN user on the destination device, you may set an outbound NAT rule on pfSense, which translates source addresses in packets from a VPN clients to a LAN devices to the pfSense LAN address.

    If you want to see the origin source addresses on the destination devices you have to set a static route on each device you want to reach directing packets destined to the VPN tunnel network to pfSense.
    Otherwise the packets are sent to the default gateway and you get no communication.



  • oh! perfect, I need 1st point... you mean I have to define an outbound NAT choosing :

    Edit Advanced Outbound NAT Entry:

    • LAN interface?
    • Protocol Any
    • source: Any ?
    • dest: lan network ?

    Translation:
    address: Interface Address

    thanks!!



  • Outbound ?
    No way.

    Your pfSense setup with the VPN server doesn't need any special setup.

    The upstream router** need a simple NAT rule : WAN side port 1193 address any, LAN side : port 1193, address ... the WAN IP of your pfSense. Protocol : UDP.
    The most basic NAT rule on the planet ;)

    ** you got the : the works need to be done on the router in front of pfSense.



  • @blepas
    Exactly. If your pfSense only does the OpenVPN connections, otherwise you may restrict the source to the OpenVPN tunnel network.

    Don't forget to set the Outbound NAT into the manual mode.



  • However, the modification on the upstream router (NAT / forwarding) as @Gertjan suggested is also needed, of course.



  • I guess I'm not using something the right way then ?

    This is what I have :
    @viragomann said in pfsense Openvpn behind existing network:

    Don't forget to set the Outbound NAT into the manual mode.

    Never ever visited that page before .... mine is on "auto".
    I do have a OpebVPN server so I can remote login.
    I do have a ISP router in front of my pfSEnse, so I had to nat 1193/UDP through it..

    I miss something ?



  • @Gertjan said in pfsense Openvpn behind existing network:

    I miss something ?

    If the OpenVPN server (pfSense) is the default gateway on the devices you want to reach from VPN clients, nothing.
    But as I understood the TO, his ISP router should stay the default gateway in his LAN.



  • Solved:

    Edit Advanced Outbound NAT Entry:

    LAN interface
    Protocol Any
    source: Any
    dest: lan network

    Translation:
    address: Interface Address

    wofks perfect!
    Thanks!


Log in to reply