OpenVPN to head office and branch
-
Everyone, greetings.
I have the following scenario to solve. The customer has a head office and a branch, both with PfSense 2.5.2 working correctly.
There is an OpenVPN VPN with Sharedkey between the PfSenses and so, whoever is connected to the branch LAN in the headquarters LAN and uses the system as if he were there.
When users are away from one of the locations, in their homes for example, they have a VPN (OpenVPN SSL / TLS + User Auth) that they have installed on the notebook to connect to the matrix and use the system, this works too.
But now you have a system that has been installed at the branch. The question is, how to make this only external VPN for notebooks, users get access to both networks (Headquarters and branch)?
I did a ping test on the branch's PfSense LAN IP using a notebook connected to the Headquarters VPN (external), I have no ping response, but I see it in the System Logs -> PfSense Firewall at the branch,
that the IP that the notebook checked from the VPN configured in PfSense da Matriz gets there and is authorized, but it doesn't work.Has anyone ever gone through this difficulty? Do you have any idea what's missing?
-
Make sure you have the needed routes to get to the branch. The remotes already know how to get to the head office. Is there a route at both ends of the branch VPN for the traffic to get there and back? The remote clients should have a default route to get them to the head office.
-
@jotagsoares
In the access server settings you have to add the branch LAN or at least the single IP, you want to access to the "Local networks" (if you haven't checked "Redirect gateway") to push the route to the clients.Additionally in the branch OpenVPN settings add the access server tunnel network to the "Remote networks" to route responses back to the headquarter.
Ensure that there are firewall rules in place on the involved interfaces that pass the access.
-
I am following this, as I think it is the exact issue I'm having. I see JKnott's and Viragomann's suggestions, but I can't figure out how to actually DO those things. Can you be more specific on how to do this?
-
SOOOO, I think I stumbled on the fix. I'm still trying to get DNS to work across the connections, however IP is working correctly.
- Go into your "Interfaces" and enable the OPTs interfaces.
- now go into System > Routing > Static Routes. Click ADD.
Type your destination network (the Other side's IP range. (I.E. 192.168.3.0/24)
Select the Opt2_VPNV4 gateway (or other if that isn't the corresponding "OPT" of the VPN tunnel.
Repeat this on the other Router.
Setup Firewall rules for the OPT2 interfaces on each router to allow all.
I have made MANY changes trying to figure this out, but I think those were the ones that made the difference.
P.S. If anyone has advice on handling the DNS / Netbios stuff, I'm all ears.
-
@jimcorkery
It's basically not a good idea to add static routes for VPN gateways at all. This should be done by OpenVPN, when the connection is established.
The OpenVPN settings tab provides the "Remote Networks" field to aim this.When you want to access the remote DNS server from local site, you might have add the local network to its ACLs.
Also consider that you will have to add the domain name, when requesting remote hosts. -
@viragomann
I have a question. My VPN client connected Router A gets a list of DNS servers that I have specifiec in the VPN Server setup. When I do a NSLOOKUP from my command prompt, it uses the DNS on the local network and not the VPN. If I ping the computer name of the file server on the VPN, it doesn't go through, but pinging the IP address works.
This WAS working, but something that I have done along the way seems to have broken it. Now, if I VPN into Router B) it is working. Go figure. -
@jimcorkery
To recap, you have a peer-to-peer OpenVPN, the server provides a DNS server list. On a device in the clients LAN you try to resolve host names?
What is your client site DNS server? -
@viragomann said in OpenVPN to head office and branch:
It's basically not a good idea to add static routes for VPN gateways at all. This should be done by OpenVPN, when the connection is established.
The OpenVPN settings tab provides the "Remote Networks" field to aim this.Where do you see that? All I see is pushing routes in the Additional configuration options box, which I don't think would do what is needed. I would also go with adding static routes between the servers, as @JimCorkery is doing. This way, all the client has to know is how to reach the default gateway and let it sort things out.
-
@jknott said in OpenVPN to head office and branch:
Where do you see that?
Remote Networks?
These fields in the OpenVPN settings are meant to enter networks which OpenVPN should set routes for to the remote endpoint, when connecting.
Setting static route may end up in issues, when the connection is down.
-
@viragomann I have a site to site (peer to peer) VPN. then at each site, I have a Remote Access VPN (for staff to connect into) setup at both ends as well, so clients can connect to their site. Once connected to their site, they should be able to access any of the PCs (Remote Access VPN client to Site A), Site A) LAN PC, across the site to site tunnel to Site B), Site B) LAN PC, and Remote Access VPN Client at Site B) PC.
The Ping works. DNS / Netbois doesn't When I remote into Site B), I can Ping a local LAN PC at that site by it's Netbois name. When I VPN into Site A, I cannot now, but I could before. I'm sure I messed up DNS / Domain name setup somewhere. My head is swhirling with all of this, so I can't pin point what setting I messed up.
-
Finally found that on the Client page. When create a client, such as a notebook computer, I use the Client Export page, which does not have those settings. When I tell someone to use a setting, I also tell them where to find it, as it helps with something as complex as pfsense. Perhaps having "client" in the title for both pages is confusing. Perhaps the "Client" page should be called "Peer to Peer". As the server page also doesn't have that setting, a route will still have to be configured separately on the head office server to reach the VPN off the branch server.
-
@jknott
Ahh, I see, you're talking about the client config.
As I understood, we are talking about a peer-to-peer here and it should be set up in the GUI. But yes, the "Remote networks" option does no other than set the "route x.x.x.x" directive in the client config.The client export utility is meant to be used for access servers, whose clients get the proper routes pushed by the server anyway.
-
@jimcorkery
NetBIOS is not supported across a peer-to-peer VPN.
As mentions you can provide your internal DNS server to the clients in the OpenVPN access server settings, but the clients may need to use FQDNs to access the remote sites, since they are not joined in the remote domain.
