Pfsense Openvpn access in LAN



  • Hi,
    I have been using Pfsense at work for quite some time and loving it~
    At home i have a normal soho router, and want to get VPN capability so decided to install pfsense in a VM on my desktop.
    Would it be possible to run a VM with only 1 NIC, a WAN, and have it accept openvpn connection and allow access to the rest of the network?
    In normal setup user would connect to wan vpn and have access to the LAN , but since now pfsense it self is on a LAN how do i go about doing that?
    Thank for all your help~!



  • @abidkhanhk

    Some SOHO routers support OpenVPN or IPSec. Does yours? Otherwise, why not run pfSense as your firewall?

    While it may be possible to do what you want, it would be complex and you'd also need to provide routing that doesn't pass through the default router and I don't think DHCP supports that.

    While it is possible to do something like that with a single NIC, you'd need to use VLANs, which require a managed switch.



  • @JKnott unfortunately my router is not exactly soho... more like a Home router.. a tplink
    cant run pfsense as a edge router as i dont have extra hardware, running pfsense in a VM for when i am not at home i can leave the PC on and access the home network for some of the files that i have to work on etc.

    i have been reading the following but its confusing me a bit , i need it for 2-3 users as my brother also needs access to the file server on my network.

    https://forum.netgate.com/topic/127814/pfsense-only-openvpn-server-with-only-single-interface-wan

    would really appreciate if someone can give me some pointers. thanks!


  • LAYER 8 Global Moderator

    @abidkhanhk said in Pfsense Openvpn access in LAN:

    but since now pfsense it self is on a LAN how do i go about doing that?

    By port forwarding the traffic from your edge to your downstream device handling the vpn connection, keep in mind you would also have to source nat the traffic into the lan or you run into a asymmetrical issue. And or host route on all your devices you would want to access via the vpn.

    But to be honest if all your going to be doing is vpn with pfsense, it prob makes more sense to just do something like pivpn

    https://pivpn.dev/

    Pfsense is a great multi tool, it can do many things... Hammer, Screwdriver, Pliers, Wrench, etc.. But sometimes when you need a screwdriver, its just easier to use an actual screwdriver..



  • @johnpoz Many thanks for your reply !
    i managed to create the VPN, logged in and all, but as you mentioned "you run into a asymmetrical issue." i was only able to do one way traffic, i can ping from client but not ping back to the vpn client.
    Is it possible to do a NAT setting on pfsense itself to allow of symmetrical traffic? can you give me a small gui example please.

    also just wanted to know if pivpn.dev can work on a ubuntu x86/64 VM?
    Many thanks


  • LAYER 8 Global Moderator

    yes pivpn can run on ubuntu..

    your devices not going to know how to get to your vpn clients vpn IP.. So while you can source nat traffic from vpn client to your device.. For your local clients to start a conversation with clients that are remote you would have to host route and tell them hey to get to network X, send your traffic to your vpn server IP vs their default gateway.

    This sort of stuff is why its much easier and cleaner and less complex setup to do your vpn at your edge device..

    No matter what downstream vpn server you setup, you run into such problems unless you do tap, this brings its own issues and is not supported on many clients, say ios devices for example anyway.

    Better solution for not running vpn server actually on the edge is via a transit network off your edge device... But highly doubt your home tplink router supports other networks.. Unless you could put say 3rd party firmware on it, ddwrt or openwrt as examples.

    To be honest, if this the road you want to go down - getting fancier with your setup ;) Look to replacing the home wifi soho type of router that allows you to do this fancy stuff ;) Run pfsense at your edge, get switch(es) that do vlans... Get AP that can do vlans, etc.. Then you be cooking with gas can pretty much nothing you can not do.



  • got it thanks!... Seems there really is no other option. i will see if i can flash DDWRT on my router or simply replace it with a small SBC from ebay. lol

    thanks for your help!


  • LAYER 8 Global Moderator

    If you do run your vpn server downstream, you can host route on devices on your local network that you want to create traffic from to your remote vpn clients..

    Its not all that hard to do, depending on the such restrictions you might have on the actual local client.


Log in to reply