Routing specific traffic from LAN through OpenVPN client (from server)

sebastianm · Jun 23, 2022, 11:05 PM

Hi!

I have the following setup:

pfSense in Proxmox VM (version 2.6.0)
WAN - public static IP
LAN - 192.168.1.1/24
OpenVPN Server configured (network 10.8.0.0/24)
Remote VPS connected via OpenVPN to pfSense with access to 200.42.14.0/24 network

What I need to do is: LAN traffic with destination 200.42.14.0/24 must route through a specific OpenVPN Client network (with NAT), because this is a public restricted network that is only reachable from a VPS where I configured the OpenVPN Client.
I had this setup working perfectly with a MikroTik router but I can't get this to work on pfSense. I configured fowarding and iptables on VPS to allow the traffic, and tested with other router as mentioned worked perfectly.
The VPS has Internet but ports are closed so, I can't configure a OpenVPN Server on the VPS. But, I know that the setup works, despite is inverted.

I can ping the VPS from pfSense and viceversa.

I tried a lot of things.
Configured OpenVPN Server as Peer-to-Peer, Remote Access, other things. Using TUN mode, TCP, nothing fancy, mostly default configuration, SSL/TLS auth.
I configured a NAT Outbound rule to NAT the traffic matching the destination.
Created a gateway on OpenVPN interface with the OpenVPN Client IP (10.8.0.2), status says ONLINE. I can see the ping reaching the VPS.
If I configure an IP like 200.42.14.50 (that I knows it responds to ping) as the Gateway Monitor IP, it goes offline (packet loss 100%)
Created a pass firewall rule on LAN interface that matches the destination and enabled policy routing to the gateway created to the OpenVPN Client. When pinging, I see the packet counter increase on the rule.
Configured a static route to 200.42.14.0/24 with the gateway to the openvpn client.
In the OpenVPN configuration, local network is set to 10.8.0.0/24 and remote network to 10.8.0.0/24, traffic should reach the VPS NATted from pfsense openvpn server ip (10.8.0.1) to the vps (10.8.0.2). Tried specifying the IP, and using Interface Address.

I did a lot of testing, when I ping the 200.42.14.0/24 network, I don't reach the network. I started a wireshark session on the tun0 on the VPS. When I ping from the pfSense or LAN, I don't see any traffic reaching the VPS. It's like the traffic is being blocked or something, it doesn't reach the VPS at all.

Any ideas?

Thanks!

viragomann · Jun 24, 2022, 10:46 AM

@sebastianm
On pfSense configure a peer to peer server with a /30 (!) tunnel network.

Add 200.42.14.0/24 to the IPv4 Remote Network/s in the OpenVPN server settings.

Ensure that there is a firewall rule on LAN allowing access to 200.42.14.0/24. If you have still the default any-to-any rule there is no need to add a further one.

Remove the static route for 200.42.14.0/24.
On the VPS OpenVPN client add the route to your LAN 192.168.1.0/24.
Add a masquerading rule to iptables for 192.168.1.0/24.

sebastianm · Jun 25, 2022, 10:15 PM

@viragomann
Thanks, I see now the part of Remote Networks that I didn't see before.

After some more testing, I decided to try using WireGuard as an alternative. Problem fixed in 10 minutes.