OpenVPN tun mode with LAN IP

ashima · Oct 15, 2020, 12:41 PM

My Scenario :
Site A (Master)
Pfsense 2.4.5 with Openvpn (tun mode) configured.
Local Lan : 192.168.90.0/24
Local Server : 192.168.90.2
Tunnel Network : 172.16.1.0/24

Site B (Client)
Pfsense 2.4.5 with OpenVPn Client
Local Lan : 192.168.30.0/24

The Setup is working fine except for a glitch.

The Real Issue :

I have a tailored software running on Windows Server at Site A. When a client from Site B access the software it blocks it as it is from different subnet. (172.16.1.x)
Is there a work around where I can give Virtual Ips to Clients on VPN having the same series as 192.168.90.0. May be block 192.168.90.200-240 for VPN clients (as how it is done in tap mode).

I do not want to configure tap mode as there is no multicast or broadcast traffic that I need to allow.Just want the vpn clients to get dhcp address in 192.168.90.0/24 series.

Is it possible or am I asking for too much. Any pointers ?

ashima · Oct 15, 2020, 3:41 PM

Just an update...

There is no non-IP traffic (IPX ...) that need to be transported.
So tap mode doesn't make sense. Just the client should get IP address in the same series as Local LAN of Site A. (192.168.90.x)

viragomann · Oct 15, 2020, 3:41 PM

@ashima said in OpenVPN tun mode with LAN IP:

When a client from Site B access the software it blocks it as it is from different subnet. (172.16.1.x)

Isn't it just blocked by the Windows firewall?
It's the default behavior of Windows firewalls to block access from other subnets.

ashima · Oct 15, 2020, 5:09 PM

@viragomann I don't think it is blocked by windows firewall as when I look into States in the firewall it says
192.168.90.2:9999 ----- 172.16.1.2:62323 Established
So connection is established but the programmer might have blocked it (considering security) .
The application at the client end reports it is on different network than the server even though at the back end the connection is established.
So If there is some way I can connect the client over vpn with the same IP as lan segment I can bypass the issue.

viragomann · Oct 15, 2020, 5:26 PM

@ashima
So let's do "masquerading" on that connection and give the packets an IP within your LAN.

In pfSense you can do this in Firewall > NAT > Outbound.
If you haven't ever add a custom rule here, the outbound NAT may still work in automatic mode. If so switch into hybrid mode and save this setting.

Then add a new rule:
interface: LAN
source: 172.16.1.0/24 (the VPN tunnel network)
dest: the servers IP
You may also specify a dest. port to apply this rule only to connections for that application.
translation: interface address

This masquerades all connections from the VPN clients to the server with the LAN interface IP of pfSense.
If you want a unique IP for each user, you will have some more work. So you will need to add CSO for each client, add an additional virtual IP to LAN for each and add an outbound NAT rule for each client.

ashima · Oct 15, 2020, 7:03 PM

Thanks @viragomann . The "masquerading" indeed solved the issue partially.

Are there any security caveats in doing so ?

I shall get back to you after some more tests.

Thank you.

viragomann · Oct 15, 2020, 7:57 PM

@ashima said in OpenVPN tun mode with LAN IP:

Are there any security caveats in doing so ?

The rule as suggested above led the server believe that the access is coming from within its subnet, exactly from pfSense and it works only if the the source is one of your vpn clients and if you additionally specified the destination port, only for that one application.
So if you say, your vpn clients should have access to it anyway, there are no security drawbacks.

You also may further restrict access by a firewall rule.