OpenVPN and Remote Access
-
I have just purchased a VPN service, set up pfSense as a OpenVPN client and wonderfully now everything on my LAN now has to go through the VPN to access the internet. All working fine.
As part of the package I have got a static IP and the ability to open ports on the VPN server. My question is, what are the firewall rules/port forwards I need to setup to point incoming traffic to the right host on the LAN?
I had a quick and dirty mess around with Windows RDP (standard port 3389), but even opening up the port as floating rule and trying various port forwards I couldn't get it to connect to the desktop from outside. I did check the desktop firewall rules too. Not really sure how to diagnose, but looking at the logs it looked like pfSense was passing the traffic.
Supplementary question, I have a laptop where I don't have rights to install software (hence the mess around with RDP), is there any remote access solution on this machine outside of Windows RDP?
-
@SteelCityColt said in OpenVPN and Remote Access:
My question is, what are the firewall rules/port forwards I need to setup to point incoming traffic to the right host on the LAN?
It's the same as for WAN.
The connection from outside is forwarded to your virtual IP by the VPN provider. You have to add a port forwarding rule to the VPN interface, set the source to any and the destination address to the interface address.@SteelCityColt said in OpenVPN and Remote Access:
I had a quick and dirty mess around with Windows RDP (standard port 3389)
However, I'd suggest to run your own OpenVPN server on pfSense to RDP in your network.Basically pfSense has to be the default gateway on the destination device to get that work. Othewise you have to do a workaround with NAT.
@SteelCityColt said in OpenVPN and Remote Access:
Not really sure how to diagnose
I assume, that the connection is blocked be the destination device or misrouted if pfSense isn't default gateway.
To investigate you can use Diagnostic > Packet Capture.
Take a capture on LAN, enter port 3389, while you're trying to RDP from outside. Check if you see the request packets to your internal device and response packets coming back.
If you see nothing, take a capture on the VPN interface.@SteelCityColt said in OpenVPN and Remote Access:
I have a laptop where I don't have rights to install software (hence the mess around with RDP), is there any remote access solution on this machine outside of Windows RDP?
Can you establish an RDP connection from inside your LAN?
-
Can you establish an RDP connection from inside your LAN?
Do you mean at home (i.e. within home LAN), or at work (within the work LAN). If you mean can I connect via RDP using my laptop while in home network, that's no problem. Just use the local host address 172.16.x.x or hostname and it works fine.
Thanks for pointing me towards packet capture. I'll have another go when I'm next home and see what comes back.
Asking the stupid question then, I take it there's nothing stopping the pfSense box being both a VPN client and server at the same time? Does that mean you can have multiple VPN servers running? It's a real shame that they lock down what we can install on our work laptops as I've used OpenVPN before and it was a breeze with the wizard.
-
Yes, you can run multiple OpenVPN server and clients and both together.
-
Another dumb question then, I've just realised I get one of these as a free gift (https://www.gl-inet.com/products/gl-mt300n/), if I create a OpenVPN server on my pfSense box and set this up to connect to it, I assume I could use this in-line to connect without having to put client software on my laptop? Assuming there isn't an issue with ports not being open.
-
If you haven't an OpenVPN client on the laptop and are not able to install any, this box might be an option.
Consider that you must have a static WAN address or use an DynDNS service if you want to run a VPN server. -
@viragomann Thank you for your help, got my head around things a bit more now. One benefit of my VPN provider is a static IP that I control the port forwards on too.
-
@SteelCityColt said in OpenVPN and Remote Access:
One benefit of my VPN provider is a static IP that I control the port forwards on too.
However, keep in mind, that if you open a port e.g. for RDP and don't lock down the destination IP (when you need it for traveling), RDP can be accessed by anyone, which is not recommended.
Moreover your connection from outside to your VPN provider is only secured by the RDP protocol. -
I think therefore the more secure option is as you suggest to setup OpenVPN server on the pfSense box and see if I can use the mini router as a OpenVPN "client".
-
Which VPN service are you using? Almost all mainstream providers offer a split tunneling feature that allows you to choose which data to send through the VPN and which not. I use PureVPN but many others like ExpressVPN offer the same with their apps.