OpenVPN - Access to Secondary Subnet
-
Dear All,
I have a radius authenticated VPN with OpenVPN however I am struggling with a specific setup. Whilst the VPN works fine, the routing doesn't.
I need the OpenVPN users to have access to a subnet for which pfSense is not the gateway.
I have created an interface that has access to this subnet, and I am able to ping the other devices that live on this subnet from Pfsense.
I have specified that as the subnet that the VPN assigned addresses should access.
However I am only able to access the primary LAN Subnet from the OpenVPN address pool.
Can anyone please give me some assistance. I have tried to create a virtual interface for the OpenVPN Server, but I am guessing I am missing either a NAT or Firewall Rule - Firewalls are not my discipline unfortunately.
Pfsense is a great product - and I would like to deliver this proof of concept and purchase the full version, however I must show it will work as required in this environment.
Hope this makes sense.
Regards from me in the UK
-
@jakejig said in OpenVPN - Access to Secondary Subnet:
I need the OpenVPN users to have access to a subnet for which pfSense is not the gateway.
That's not optimal for an VPN access server. The devices will send replies to their default gateway instead to pfSense, as long as they don't have a static route for it.
So one option is to add a static route for the OpenVPN tunnel network pointing to pfSense to each device in that subnet.
Another option is to translates the packets source IP into pfSense interface IP in this subnet, it's also called masquerading.
But doing so, the devices can only see the pfSense IP as source of an access.You can add a rule for this in Firewall > NAT > Outbound.
You may have to switch into hybrid mode if it's still in automatic. Then add a rule like this:
interface: that one in the destination devices subnet
source: VPN tunnel network pool
destination: may be any
translation: interface address -
Hi Virago man - I presume that's a Yamaha - I've had plenty of them.
Actually I was just able to make it work.
Rather than give the interface in the destination subnet a static address I let it have a DHCP address from the upstream DHCP server on the router up from it.
I was then able to access the destination subnet.I've lost control of my remote machine on the management network unfortunately so I won't be able to test more until tomorrow.
Regards
Jakejig
-
@jakejig said in OpenVPN - Access to Secondary Subnet:
I presume that's a Yamaha
Exactly.
I've had plenty of them
Rather than give the interface in the destination subnet a static address I let it have a DHCP address from the upstream DHCP server on the router up from it.
A static interface IP is not required for masquerading at all.
But a DHCP IP on its own cannot provide access from the VPN clients. So I'm wondering, why it's working now.Anyway, you can also use the DHCP server to distribute the routes to the devices, if all pull the IP from the server.
-
I think I am going to need a diagram.
Thanks for your assist by the way. Getting this amazing product to work securely in this environment is a major win. We've engaged Tac-Lite but soon will want the fully supported model.Regards
Jake
-
Hi - it works but then stops working :(
I think its causing some kind of loop somewhere - behaves strangely
Regards