pfSense on Cloud VPS for internet access with OpenVPN + Captive Portal

mencargo

I'm trying to configure pfSense on a remote VPS with OpenVPN and Captive Portal to give guests limited internet access, but I'm missing some basic traffic routing.
(local router connects through the VPN + CP for internet access)

Testing it I can connect to the VPN and the Captive Portal seems to work too.
(got redirected to it, click on connect > "The portal session is connected.")

But I cannot access internet, no digs nor pings, nothing outside LAN.

Current OpenVPN config:

dev tun
persist-tun
persist-key
data-ciphers AES-128-GCM
data-ciphers-fallback AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote public_ip 1194 udp4
nobind
remote-cert-tls server
explicit-exit-notify
<ca>...</ca>
<cert>...</cert>
<key>...</key>
key-direction 1
<tls-auth>...</tls-auth>

Connection works: Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.0.0/10.0.0.2/255.255.0.0 [SUCCEEDED]

WAN has the VPS public IP, LAN has the OpenVPN tunnel network [10.0.0.0/16]
Captive portal set in LAN just with Disable MAC filtering checked.
OpenVPN has Redirect IPv4 Gateway checked.
Firewall NAT Outbound on Hybrid Mode with Rule:
Mapping:

Interface: OpenVPN
Source: 10.0.0.0/16
Source Port: *
Destination: *
Destination Port: *
NAT Address: OpenVPN address
NAT Port: *

Since this is not the usual use case, I suspect I need some additional configuration on...
Firewall rules? Any clues?

viragomann

@mencargo said in pfSense on Cloud VPS for internet access with OpenVPN + Captive Portal:

LAN has the OpenVPN tunnel network [10.0.0.0/16]

What? You have to configure different, non-overlapping networks for LAN and OpenVPN.
Do you need a LAN on the VPS at all?

If I understood your intention correctly your router is the only one client, which connects to the VPN server. So why you have a /16 tunnel network.

If you want the clients to go out to the internet, you need the outbound NAT rule on the WAN not OpenVPN.

mencargo

@viragomann Not sure if I understand correctly but LAN was created using the virtual interface of the OpenVPN server, that actually shows as LAN (ovpns1).
I created the LAN assignment to it to be able to use it in Captive Portal.
(I'm under the impression that CP should not be assigned to WAN.)

About /16, there could be multiple routers connecting to the server, but could set it to /24 probably, does it matter?

I don't understand the outbound NAT rule, it has a couple of Automatic rules that includes:

Interface: WAN
Source: 127.0.0.0/8 ::1/128 10.0.0.0/16
Source Port: *
Destination: *
Destination Port: *
NAT Address: WAN address
NAT Port: *

So I suppose that covers "you need the outbound NAT rule on the WAN not OpenVPN", right?
I still don't fully understand it, I'll make some tests without assigning LAN to opvpn1.

mencargo

Deleted the LAN interface and the Firewall NAT rule
Assigned CP to WAN
The VPN works fine but the CP doesn't show up, doesn't seem to work with the VPN now.

mencargo

Haven't found a way to use Captive Portal on the WAN interface.
So, creating the LAN interface now everything works fine except when I activate the CP.
Any petition is redirected to the CP page even after the session is initiated.