Netgate Hardware & VPN Questions
-
I have found one of the best Tutorials for setting up a site to site OpenVPN for pfsense to be here:
https://mitky.com/pfsense-openvpn-site-to-site-vpn/
You don't have to be a tech wizard to get it working. I find that if I have used this tutorial and it's not working, I missed a step somewhere. I wipe everything out and do it all over again and bingo, it works just like you want it to.
If you don't have carrier grade NAT you don't have to have static IP addresses to get OpenVPN to work. If you really want static IPs and want to pay your ISP more go ahead. I usually just setup DynDNS with an online provider. Even if you don't go with a free DynDNS service it's still gonna be way cheaper than paying for two Static IP's from your ISPs. If you do go with a DynDNS service make sure you install the Cron package so it will force an update if the IP happens to change.
Now, if you DO have carrier grade NAT where you want the OpenVPN server, you're gonna need that static IP from that ISP....but not the Satellite office.
If you're really just wanting Remote Desktop to work and that's your primary goal I really don't see the need to take advantage of your GB Internet speeds. With RDP, you ain't gonna notice it. Now, if you plan on transferring huge files, video streaming, etc....well, that's different.
-
I currently have two very large NAS devices in the same home in CO. I use the second NAS to automatically back up the important files (movies, pictures, music, surveillance video, computers) that are stored on the first NAS. I had thought about moving the second NAS to UT so that they were in separate locations and wouldn't both die with a fire, etc. I'm not sure if that will work well, but it would require a fast connection between the two for the automated backups.
-
@xraydoc88 i do this with two Synology NAS devices. There's a cool rsync feature that allows you to choose the folder you want to backup, make a schedule, etc. It them copies the whole folder to the other NAS. I use it to backup camera video so that I have a remote copy of captured events should there be a fire or a break in etc which would result in the the remote NAS being destroyed or stolen. Again my overseas bandwidth is humble compared to my lovely Google fiber but it works well. I have mine set to backup whenever there's a change to the remote folder but you can have it set to run one a specific day at a specific time. Lots of flexibility to do what you want.
Also wanted to second what you were told about static and dynamic ips. I have gone for years using a dynamic dns service, I use google domains now, in order to have a FDQN that I can use for my openvpn and ipsec connections. I only recently got put behind CGNAT and had to get a static ip. Part of the fun is the adventure but it also sucks when you try to vpn into your home network with no success only to find out your WAN has been assigned a 100.64.0.0/10. Boo.
-
I use this with 2 QNAP NAS, RTRR works so well over WAN.
I only have 50 Mbit upload, but with Codel it can run anytime without any latency problems if you want to play an online game at the same time.It could send over 400GB/d to the Backup NAS through the IPSec Tunnel.
-
Yes, off-site backup is usually a good idea and incremental backups mean it's unlikely you're actually moving terabytes between them every day.
But you should be able to test the speed before you move the NAS and find out if it will be sufficient easily enough.Steve
-
@stephenw10 You are right. But if he use VPN connection on both side then he has an option to connect with any protocol like OpenVPN or IPSec. I use PureVPN and NordVPN.
-
Um, not sure I understand. Kinda looks like spam...
-
@gabacho4 said in Netgate Hardware & VPN Questions:
You’re right on. Create an openvpn server for each router and then create user certificates so that you can connect from anywhere outside of your network.
For the site to site, you can do the IPSec OR you can use openvpn OR you could run both! I used to run a shared key openvpn site to site connection but wanted to be able to take advantage of the faster GCM algorithms so that required using a SSL/TLS setup (PKI implementation) instead. There were a few more steps but nothing insane. Netgate documentation is outstanding and, coupled with the forum and google, you can normally find your way out of any configuration hole you fall in. I run a routed IPSec site to site connections well, not so much out of necessity but because I like to learn new things and try different implementations, and the IPSec connection affords me some redundancy should the openvpn ever have an issue. My network connection speed doesn’t allow me to experience any appreciable difference in speed or performance.
My advice is to take this one step at a time. Set up the road warrior openvpn servers and make sure you can connect to both routers from your cellphone or another person’s network. Then focus on the site to site and you’ll have the remote access connection as a safety should you somehow screw something up and not be able to connect to the opposite router via your local network’s vpn connection.
Also, I highly recommend coming up with a well structured format for your network subsets to make it easier to remember what each network setup is. For example, my local network is a 10.20.x.x/24. My trusted LAN devices are 10.20.2.x with the router being 10.20.2.1 and switches and aps being grouped in ups blocks. My kid’s/guest network is 10.20.20.x. My cameras are 10.20.40.x. My DMZ is 10.20.80.x. I use VLANs so the kid’s VLAN is 20, cameras are 40 and DMZ is 80. For my Utah side, I use a 10.10.x.x/24. LAN is 10.10.1.x. Guest is 10.10.10.x. Cameras 10.10.30.x, IOT is 10.10.50.x... you see a pattern? Utah is my “first” network and my overseas one is 2. And of course I use the same structure for my router (10.10.1.1) etc that I use for my local network. This makes it very easy for me to remember my network configurations and not have to look things up in some spreadsheet all the time.
I’ve learned some of these lessons the hard way over time. You’ll undoubtedly discover things you wish you had done differently later down the road. My biggest advice, especially when you’re long distance from the remote network...DO NOT DO UPGRADES OR SIGNIFICANT CHANGES ON YOUR REMOTE PFSENSE OR OTHER CRITICAL NETWORK INFRASTRUCTURE. Something will eventually break, or fail to come back online, or you’ll misconfigure something and find yourself utterly screwed. Trust me! I’ve had to rely in the MILTS (mother-in-law tech support) a number of times. A 5 minute fix for me ends up being 45 minutes and uncontrollable body shakes working with her, God bless her soul.
Lastly, wireguard is great but not available in pfsense yet. They’re working on it. You’ll be just fine using openvpn or IPSec. Don’t want to run unofficial software in your edge router/firewall and maintaining a separate server for wireguard is more work and something else to configure, maintain, patch, and possible screw up too. Oh that reminds me, make sure all your must have infrastructure is on a good NAS!
OK, I decided to follow this advice and today I tried to setup a remote OpenVPN server at my CO house. I used the Wizard in pfSense. I left most decisions at default. I think I did it correctly. I then exported the client profile and installed it on my Android phone. I was able to import it into OpenVPN Connect. When I connected, I got a statistics page that showed I was connected with data uploading and downloading. It showed me an assigned "tunnel IP address". So I think this is all good.
What I did not see were the computer shares on my home network. I thought I would see these once I connected with the VPN. How do you actually browse your home network on an Android phone?
-
@xraydoc88 I do most of everything by IP address. If I want my router I go to 192.168.1.1. My NAS? 192.168.30.21. Etc. You should be able to map any shares you have set up but I don't know if your local computer/phone would see remote shares on its own. I've never tried personally. That'd be something interesting to read up on and experiment with. My setup works for what I've needed so I haven't spent a lot of time messing with other things. Will be curious to see what others might tell you.
-
What are you using to 'browse' with?
If you have configured the server to redirect all traffic over the VPN from the client and you have an allow all rule on the OpenVPN interface then the phone will be able to reach hosts on your LAN remotely. However those hosts may not respond to traffic from the VPN tunnel subnet. Or the phone may be attempting to 'discover' resources on it's own subnet only by broadcasting for them which won't find anything when that's the VPN tunnel.
Steve
-
@stephenw10 said in Netgate Hardware & VPN Questions:
What are you using to 'browse' with?
If you have configured the server to redirect all traffic over the VPN from the client and you have an allow all rule on the OpenVPN interface then the phone will be able to reach hosts on your LAN remotely. However those hosts may not respond to traffic from the VPN tunnel subnet. Or the phone may be attempting to 'discover' resources on it's own subnet only by broadcasting for them which won't find anything when that's the VPN tunnel.
Steve
Well, I didn't really know what you were supposed to do, other than use OpenVPN Connect. When I setup the remote server, I had to choose a tunnel IP range, (192.168.10.0/24), which I made sure was different from my home network. I also had to enter my home network IP range, (192.168.0.0/24). I let the pfSense OpenVPN wizard create two necessary firewall rules. When I use OpenVPN Connect on my phone, it looks connected, and it shows "my private IP" address as 192.168.10.2. That IP wouldn't normally be able to see my network. That's the tunnel IP. But doesn't the VPN somehow convert your tunnel IP to your local IP? Otherwise, how do you ever interact with the home network?
Once I launched OpenVPN Connect on my phone and activated the VPN, I did try to just enter a static private IP address of one of my shared computers (192.168.0.25) into the Chrome browser. That did not work though.
-
What web services are on that host at 192.168.0.25? What do you expect to see there?
Can you ping that IP?
Steve
-
@stephenw10
There are no webservices that I know of. I was just hoping to see my shared folders on that computer. And when connecting with a laptop, I'd like to be able to use remote desktop to control that computer.I don't know how to attempt a ping with an Android phone.
P.S. As I mentioned, I used the wizard to create everything. I also used the export client package to put the profile on my phone. When I look at the OpenVPN "clients" tab in pfSense, it is empty. Do I need to also add my phone there instead of just using the export package? Also, once connected, should the phone appear in that client list automatically? When I thought I was connected, it was not listed.
-
Ok, well Chrome is not an SMB client. It can't look at folders.
Chrome remote desktop might work but you'd need to enable it on host you're connecting to.
In Android you can just open a terminal client and ping from there but there are numerous ping apps you could use.
What would you use to test if you were on wifi at home in the same network?
Steve
-
@stephenw10
On a computer in my home I would use a command prompt to ping another computer. On my phone, I didn't know what to do.There are obviously some additional steps or programs I need to use. I haven't seen them mentioned in any guides on setting up a remote access VPN. I obviously want to be able to interact with the computers on the home network, through the remote VPN connection. Can you tell me how you do that on either an Android phone or a Windows laptop?
On the laptop, do I just connect with the OpenVPN client and then open File Explorer? Will that show me my local shares as if I was plugged in at home?
The phone must need something else I assume?
Thanks!
-
On a Windows laptop you can indeed just use file explorer (smb) to connect to other Windows hosts and view their file shares.
You may need to enter the remote IPs directly. If you are passing a dns search domain to clients and pSense as a DNS server they may be able to resolve LAN side hostnames if pfSense is a the DHCP server there.
The hosts you are connecting to need to allow smb connections from the OpenVPN tunnel subnet of course.Anything you can do from the Android phone locally on WIFI should also work over OpenVPN.
I don't know what you are trying there. I'm not sure I've ever tried to access smb fileshares on a phone. There may well be an app for that.Steve