offloading OpenVPN using external gateway

bingo600 · Jan 4, 2021, 2:45 PM

Not the greatest explanation..
A drawing would help

Could it be the portforward still points to the pfSense , and not the RasPI ?

chrispazz · Jan 4, 2021, 2:47 PM

@bingo600 currently I am using portforward only to manage incoming external connections...
Why do you think it is involved in outgoing connections?

Ty

bingo600 · Jan 4, 2021, 2:51 PM

@chrispazz said in offloading OpenVPN using external gateway:

@bingo600 currently I am using portforward only to manage incoming external connections...
Why do you think it is involved in outgoing connections?

Ty

I was not sure it was outbound.

chrispazz · Jan 4, 2021, 3:05 PM

@bingo600 here it is a little drawing.... :)

I know, I have to buy an hardware pfsense....

bingo600 · Jan 4, 2021, 3:08 PM

@chrispazz

Your pfSense is the main router , and has to make the decision, what "traffic" to forward to the RasPI , you have to "set that up" in the pfSense (routing or policy routing).

What is nets are "behind" the OpenVPN ?

chrispazz · Jan 4, 2021, 3:11 PM

@bingo600 Currently I am using a "per IP" policy so only specific clients and specific traffic is going thru VPN.
I am using only firewall rules by indicating specific outgoing gateway (WAN or VPN).

bingo600 · Jan 4, 2021, 3:26 PM

@chrispazz said in offloading OpenVPN using external gateway:

@bingo600 Currently I am using a "per IP" policy so only specific clients and specific traffic is going thru VPN.
I am using only firewall rules by indicating specific outgoing gateway (WAN or VPN).

Then i suppose you have to make policy routing.

Make an IP host alias Ie. OVPN_FORWARDS , and put your IP's in that one.

Then make a policy route rule , AF IPv4 , Proto any , matching Source IP = OVPN_FORWARDS , dest any.

Click advanced options

Set the Raspi Gateway as Gateway

Pray that you have enabled forwarding in Raspbian Linux

Remember that pfSense matches on inbound traffic , meaning the rule has to be applied on all interfaces where matching ip's could "enter" (Ingress traffic).

/Bingo

chrispazz · Jan 4, 2021, 3:29 PM

@bingo600 here we are! this is exactly what I did before writing here! ahahahah
Yes I enabled forwarding in Raspbian but I cannot understand why it is going outside without using VPN

I am sure it is using the new rule because of some tests I did....

I am starting to suppose that the problem could be on the RPI side....strange since it is working from SSH....

bingo600 · Jan 4, 2021, 3:30 PM

@chrispazz said in offloading OpenVPN using external gateway:

Yes I enabled forwarding in Raspbian but I cannot understand why it is going outside without using VPN

Does the package reach the RasPI (using the gateway you set) ?
Or does the pfSense never send it to the Raspi ?

chrispazz · Jan 4, 2021, 3:38 PM

@bingo600 I do not know how to check this on the RPI side....

I followed this guide:

https://www.instructables.com/Raspberry-Pi-VPN-Gateway/

bingo600 · Jan 4, 2021, 3:41 PM

@chrispazz said in offloading OpenVPN using external gateway:

@bingo600 I do not know how to check this on the RPI side....

Quick hack
Enable temporary logging on the Policy Rule , look for log entries to confirm your rule matches "interesting traffic".

Real Packet capture (on pfSense).
Diagnostic --> Packet Capture

I suppose your pfSense Wan Interface is the one connecting to the "ISP Router LAN" ?

Packet Capture on pfSense
If you have a screen + kbd on the RasPi , you could install wireshark on that one , to do the packet capture.

If only SSH , install tcpdump on the RasPI

How about NAT ?
Are you natting on your pfSense WAN IF ?

/Bingo

bingo600 · Jan 4, 2021, 3:51 PM

You say your pfSense is 192.168.99.1 , but the drawing shows 99.250

Is the 99.1 interface a pfSense "inside Lan" ip ?

How does the 192.168.99.x interface relate on the drawing ?

I expect your pfSense to have a WAN ip on the ISP router LAN , meaning the 192.168.5.x range.

Since you say you can ping and prob SSH to the Raspi , i assume that is correct or ??

chrispazz · Jan 4, 2021, 3:51 PM

@bingo600 NAS is 99.250.
Inside NAS (Synology) I run a VM with pfsense (99.1).

I tried enabling logging on the rule and I can confirm it is using it.
Yes, my pfsense WAN interface is the one connecting to the ISP router.
And yes, I am using NAT on the pfsense WAN if....

bingo600 · Jan 4, 2021, 3:52 PM

@chrispazz

Just for completeness
What is your pfSense WAN IP ?

chrispazz · Jan 4, 2021, 3:53 PM

@bingo600 it is 192.168.5.254

bingo600 · Jan 4, 2021, 3:55 PM

@chrispazz

??

Then what is your ISP router inside ip ?

bingo600 · Jan 4, 2021, 3:57 PM

@chrispazz said in offloading OpenVPN using external gateway:

I tried enabling logging on the rule and I can confirm it is using it.

Ok

Now try to do a packet trace on the pfSense WAN

Set host address to the Raspi IP

And generate some traffic destined for VPN

chrispazz · Jan 4, 2021, 3:57 PM

@bingo600 oops....sorry. Inside IP of router is 192.168.5.254.

Pf sense has 192.168.5.1 on the WAN side...

chrispazz · Jan 4, 2021, 4:00 PM

@bingo600

Activated packet capture on host 192.168.5.9 and opened a webpage with www.google.it:

16:58:57.410983 IP 192.168.5.1 > 192.168.5.9: ICMP echo request, id 43267, seq 8815, length 9
16:58:57.920985 IP 192.168.5.1 > 192.168.5.9: ICMP echo request, id 43267, seq 8816, length 9

bingo600 · Jan 4, 2021, 4:04 PM

@chrispazz said in offloading OpenVPN using external gateway:

@bingo600

Activated packet capture on host 192.168.5.9 and opened a webpage with www.google.it:

16:58:57.410983 IP 192.168.5.1 > 192.168.5.9: ICMP echo request, id 43267, seq 8815, length 9
16:58:57.920985 IP 192.168.5.1 > 192.168.5.9: ICMP echo request, id 43267, seq 8816, length 9

Where did 192.168.5.9 come from ??
did you mean 5.99