Netgate Hardware & VPN Questions

stephenw10

Um, not sure I understand. Kinda looks like spam...

XrayDoc88

@gabacho4 said in Netgate Hardware & VPN Questions:

@xraydoc88

You’re right on. Create an openvpn server for each router and then create user certificates so that you can connect from anywhere outside of your network.

For the site to site, you can do the IPSec OR you can use openvpn OR you could run both! I used to run a shared key openvpn site to site connection but wanted to be able to take advantage of the faster GCM algorithms so that required using a SSL/TLS setup (PKI implementation) instead. There were a few more steps but nothing insane. Netgate documentation is outstanding and, coupled with the forum and google, you can normally find your way out of any configuration hole you fall in. I run a routed IPSec site to site connections well, not so much out of necessity but because I like to learn new things and try different implementations, and the IPSec connection affords me some redundancy should the openvpn ever have an issue. My network connection speed doesn’t allow me to experience any appreciable difference in speed or performance.

My advice is to take this one step at a time. Set up the road warrior openvpn servers and make sure you can connect to both routers from your cellphone or another person’s network. Then focus on the site to site and you’ll have the remote access connection as a safety should you somehow screw something up and not be able to connect to the opposite router via your local network’s vpn connection.

Also, I highly recommend coming up with a well structured format for your network subsets to make it easier to remember what each network setup is. For example, my local network is a 10.20.x.x/24. My trusted LAN devices are 10.20.2.x with the router being 10.20.2.1 and switches and aps being grouped in ups blocks. My kid’s/guest network is 10.20.20.x. My cameras are 10.20.40.x. My DMZ is 10.20.80.x. I use VLANs so the kid’s VLAN is 20, cameras are 40 and DMZ is 80. For my Utah side, I use a 10.10.x.x/24. LAN is 10.10.1.x. Guest is 10.10.10.x. Cameras 10.10.30.x, IOT is 10.10.50.x... you see a pattern? Utah is my “first” network and my overseas one is 2. And of course I use the same structure for my router (10.10.1.1) etc that I use for my local network. This makes it very easy for me to remember my network configurations and not have to look things up in some spreadsheet all the time.

I’ve learned some of these lessons the hard way over time. You’ll undoubtedly discover things you wish you had done differently later down the road. My biggest advice, especially when you’re long distance from the remote network...DO NOT DO UPGRADES OR SIGNIFICANT CHANGES ON YOUR REMOTE PFSENSE OR OTHER CRITICAL NETWORK INFRASTRUCTURE. Something will eventually break, or fail to come back online, or you’ll misconfigure something and find yourself utterly screwed. Trust me! I’ve had to rely in the MILTS (mother-in-law tech support) a number of times. A 5 minute fix for me ends up being 45 minutes and uncontrollable body shakes working with her, God bless her soul.

Lastly, wireguard is great but not available in pfsense yet. They’re working on it. You’ll be just fine using openvpn or IPSec. Don’t want to run unofficial software in your edge router/firewall and maintaining a separate server for wireguard is more work and something else to configure, maintain, patch, and possible screw up too. Oh that reminds me, make sure all your must have infrastructure is on a good NAS!

OK, I decided to follow this advice and today I tried to setup a remote OpenVPN server at my CO house. I used the Wizard in pfSense. I left most decisions at default. I think I did it correctly. I then exported the client profile and installed it on my Android phone. I was able to import it into OpenVPN Connect. When I connected, I got a statistics page that showed I was connected with data uploading and downloading. It showed me an assigned "tunnel IP address". So I think this is all good.

What I did not see were the computer shares on my home network. I thought I would see these once I connected with the VPN. How do you actually browse your home network on an Android phone?

gabacho4

@xraydoc88 I do most of everything by IP address. If I want my router I go to 192.168.1.1. My NAS? 192.168.30.21. Etc. You should be able to map any shares you have set up but I don't know if your local computer/phone would see remote shares on its own. I've never tried personally. That'd be something interesting to read up on and experiment with. My setup works for what I've needed so I haven't spent a lot of time messing with other things. Will be curious to see what others might tell you.

stephenw10

What are you using to 'browse' with?

If you have configured the server to redirect all traffic over the VPN from the client and you have an allow all rule on the OpenVPN interface then the phone will be able to reach hosts on your LAN remotely. However those hosts may not respond to traffic from the VPN tunnel subnet. Or the phone may be attempting to 'discover' resources on it's own subnet only by broadcasting for them which won't find anything when that's the VPN tunnel.

Steve

XrayDoc88

@stephenw10 said in Netgate Hardware & VPN Questions:

What are you using to 'browse' with?

If you have configured the server to redirect all traffic over the VPN from the client and you have an allow all rule on the OpenVPN interface then the phone will be able to reach hosts on your LAN remotely. However those hosts may not respond to traffic from the VPN tunnel subnet. Or the phone may be attempting to 'discover' resources on it's own subnet only by broadcasting for them which won't find anything when that's the VPN tunnel.

Steve

Well, I didn't really know what you were supposed to do, other than use OpenVPN Connect. When I setup the remote server, I had to choose a tunnel IP range, (192.168.10.0/24), which I made sure was different from my home network. I also had to enter my home network IP range, (192.168.0.0/24). I let the pfSense OpenVPN wizard create two necessary firewall rules. When I use OpenVPN Connect on my phone, it looks connected, and it shows "my private IP" address as 192.168.10.2. That IP wouldn't normally be able to see my network. That's the tunnel IP. But doesn't the VPN somehow convert your tunnel IP to your local IP? Otherwise, how do you ever interact with the home network?

Once I launched OpenVPN Connect on my phone and activated the VPN, I did try to just enter a static private IP address of one of my shared computers (192.168.0.25) into the Chrome browser. That did not work though.

stephenw10

What web services are on that host at 192.168.0.25? What do you expect to see there?

Can you ping that IP?

Steve

XrayDoc88

@stephenw10
There are no webservices that I know of. I was just hoping to see my shared folders on that computer. And when connecting with a laptop, I'd like to be able to use remote desktop to control that computer.

I don't know how to attempt a ping with an Android phone.

P.S. As I mentioned, I used the wizard to create everything. I also used the export client package to put the profile on my phone. When I look at the OpenVPN "clients" tab in pfSense, it is empty. Do I need to also add my phone there instead of just using the export package? Also, once connected, should the phone appear in that client list automatically? When I thought I was connected, it was not listed.

stephenw10

Ok, well Chrome is not an SMB client. It can't look at folders.

Chrome remote desktop might work but you'd need to enable it on host you're connecting to.

In Android you can just open a terminal client and ping from there but there are numerous ping apps you could use.

What would you use to test if you were on wifi at home in the same network?

Steve

XrayDoc88

@stephenw10
On a computer in my home I would use a command prompt to ping another computer. On my phone, I didn't know what to do.

There are obviously some additional steps or programs I need to use. I haven't seen them mentioned in any guides on setting up a remote access VPN. I obviously want to be able to interact with the computers on the home network, through the remote VPN connection. Can you tell me how you do that on either an Android phone or a Windows laptop?

On the laptop, do I just connect with the OpenVPN client and then open File Explorer? Will that show me my local shares as if I was plugged in at home?

The phone must need something else I assume?

Thanks!

stephenw10

On a Windows laptop you can indeed just use file explorer (smb) to connect to other Windows hosts and view their file shares.
You may need to enter the remote IPs directly. If you are passing a dns search domain to clients and pSense as a DNS server they may be able to resolve LAN side hostnames if pfSense is a the DHCP server there.
The hosts you are connecting to need to allow smb connections from the OpenVPN tunnel subnet of course.

Anything you can do from the Android phone locally on WIFI should also work over OpenVPN.
I don't know what you are trying there. I'm not sure I've ever tried to access smb fileshares on a phone. There may well be an app for that.

Steve