Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connect external client to internal client with OpenVPN through pfSense Firewall

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bostongeorge
      last edited by

      Hi all. I am really new to pfsense and routing.
      I have this test environment where I want to allow an external client to access an internal webserver to a specific port.
      So far now I was able to set Openvpn rules that give the clien 2 host an internal IP but I am not able to ping any host. why?
      I dont know ho to proceede further in order to connect client 2 to server.
      I can think something like port forwarding but I am a bit lost that is why I am asking for help here.
      thanks in advance! ![alt text](Uten navn.jpg image url)

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @bostongeorge
        last edited by

        @bostongeorge
        You internal machines may block traffic from outside of the own subnet.
        Check the firewalls on the devices and allow access from the OpenVPN tunnel network.

        B 1 Reply Last reply Reply Quote 0
        • B
          bostongeorge @viragomann
          last edited by

          @viragomann The server can ping PC1 and Firewall(internal IP) but not Client2
          Client 1 can ping Firewall (internal IP) but not server or PC2. But can connect to server via FTP.
          Client 2 cannot ping anyon, event with vpn address.
          Firewall cannot ping anyone.

          So i am not able to troubleshoot why.
          I understand that in the moment PC2 get (using VPN), the same IP address range as server and PC1, they should be able to communicate (via FTP) , or ping each other at least

          B 1 Reply Last reply Reply Quote 0
          • B
            bostongeorge @bostongeorge
            last edited by

            @bostongeorge --Update --
            I did this: took down firewall in client 1 and server, now internally all can ping each other but from client 2 (external) i get this ping answer which say packets received but host unreachable?
            what does that mean`?

            54a925ad-53dc-4616-8377-285f4de8f7cc-image.png

            1 Reply Last reply Reply Quote 0
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by

              Your drawing screams asymmetric traffic flow. Why is Client 2 connected to pfSense WAN and not behind pfSense (LAN)?

              -Rico

              B 1 Reply Last reply Reply Quote 0
              • B
                bostongeorge @Rico
                last edited by

                @rico Client 2 is an external client. Is not part of the internal network,
                I neet to simulate client 2 can connect to server on ftp port 8070.
                Client 1 can connect to server on ftp port 8070 (but they are on same lan segment so yeah).

                Client 2 has to request to the firewall the possibility to go to server.
                So firewall must allow that.

                1 Reply Last reply Reply Quote 0
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  Consider while testing....connecting a Client to pfSense WAN RFC1918 is not the same as a Client connecting from the Internet.
                  If you really want to test your local installation, use something like a mobile connection.

                  -Rico

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    bostongeorge @Rico
                    last edited by bostongeorge

                    @rico I understand that. I am testing all using VM

                    At the moment internally all devices can ping each other and external device can ping internal ip of firewall, but cannot ping internal server or internal pc1.

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      tsmalmbe @bostongeorge
                      last edited by

                      @bostongeorge Don't make your OpenVPN subnet the same as the internal LAN. Begging for issues and problems there. Make it completely different, then add a firewall rule to access whatever you need in the 70-subnet.

                      Security Consultant at Mint Security Ltd - www.mintsecurity.fi

                      B 1 Reply Last reply Reply Quote 1
                      • B
                        bostongeorge @tsmalmbe
                        last edited by

                        @tsmalmbe you mean that the problem could be here?
                        c4adbdff-62b2-4ce8-9b32-20318b8ea884-image.png

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          tsmalmbe @bostongeorge
                          last edited by

                          @bostongeorge That will surely screw up your setup.

                          Security Consultant at Mint Security Ltd - www.mintsecurity.fi

                          B 1 Reply Last reply Reply Quote 0
                          • B
                            bostongeorge @tsmalmbe
                            last edited by

                            @tsmalmbe I am now using this setup and all is working. I have followed a guide. so for the one interested let me know if you are in same problem (not sure i can post the link here).
                            77580d61-7134-41b9-a5dd-5514e17695a9-image.png

                            I have follow this:

                            CONFIGURATION VM

                            pc real 192.168.0.0
                            FW bridged +Vmnet2 (host only)
                            Server custom Vmnet2
                            Client 1 custom Vmnet2
                            Client 2 bridged

                            IP ADDRESS

                            FW WAN 192.168.0.133
                            FW LAN 192.168.70.1
                            Client1 192.168.70.5
                            Server 192.168.70.230
                            Tunnel 192.168.60.0
                            Client2 192.168.0.137
                            Client 2 vpn 192.168.60.2

                            CONFIG ISNTALLATION

                            • Create CA authority
                            • Create server ceritficate
                            • Create User
                            • Create user certificate
                            • Enbable interface
                            • Openvpn wizard

                            affbebaa-05ed-4e1f-988d-1ba5c2045b0d-image.png

                            1 Reply Last reply Reply Quote 0
                            • T
                              tsmalmbe
                              last edited by

                              You should probably somehow mark this thread as "solved".

                              Security Consultant at Mint Security Ltd - www.mintsecurity.fi

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.