N00b: VPN/redirect for inbound MS Remote Desktop
I have an Internet-facing pfSense instance working; I've gotten as far as redirecting incoming web browser traffic on an arbitrary port number to a web server on the LAN side of the pfSense machine so fundamentally, things work. But I am very new to pfSense and to network operations of this sort.
Here's my intended use case and I would like to ask basically what bits and pieces of pfSense I need to figure out to get this to work:
- User on the internet starts a VPN client that connects to pfSense on my end. I have administrative contact with each user so I can give them instructions, certificate file, etc. if I need to to facilitate this.
- Once the VPN connection is established, the user can direct the MS Remote Desktop client to e.g. windowsmachine.myowndomain.com and pfSense directs the connect attempt to the Windows machine on the LAN side of the pfSense machine.
- Connectivity between the user and the Windows machine over the VPN is limited to RD and CIFS/SMB.
I've been told that DNS within pfSense can be "pushed out" in a nonauthoritative way over the VPN so that the user can refer to the Windows server via a name I've set but I'm unclear as to how that would work. The OpenVPN config page on the pfSense admin web app is mostly beyond me but I see that there's a check box to force clients to use only VPN DNS servers; if I enable that, then I could have my pfSense machine's DNS resolve the name of just the Windows server and pass on all other DNS requests out to the internet. Alternatively, the VPN client could perhaps be configured to query my DNS first - again, only resolving that one name - and then any DNS request the client made that my DNS could not resolve (i.e., all but that for the one Windows machine) would go out to the user's usual DNS.