Access Webserver on openvpn client (site-to-site)
-
Hi all,
Just after a little help if anyone could be so kind.
I have 2 pfsense firewalls configured site to site with openvpn, one as client and one as server. On the lan connected to the client fw I have a webserver running. I need to be able to access the webserver from the server side.
Using a clients specific override on the server I have been able to get traffic through to the client firewall, with the desitnation as the webserver, but the response never comes back, I get a 504 time out.
Ive tried setting up outbound nat rules on the client in pfsense, but the request still doesnt seem to be getting from the client firewall to the webserver, and back through the vpn tunnel to the server side.
I would have normally set up client and server on either side but in this instance I have no way to open a port on to the client firewall at the site in which its hosted.
Happy to provide more information if it helps, been trying with this for a few days cant seem to figure it out.
Thanks,
D -
@dbx said in Access Webserver on openvpn client (site-to-site):
On the lan connected to the client fw I have a webserver running. I need to be able to access the webserver from the server side.
From the server sides LAN?
Or from the internet?Using a clients specific override on the server I have been able to get traffic through to the client firewall, with the desitnation as the webserver, but the response never comes back
How did you determine this?
Can you access any other resources in the remote network?
Are both VPN endpoints, the client and server the default gateways in their respective local network?
-
Thanks for getting back to me.
@viragomann said in Access Webserver on openvpn client (site-to-site):
From the server sides LAN?
Or from the internet?The goal is for the webserver to be accessible from the internet, from the server sides LAN would be a nice to have but not essential.
Are both VPN endpoints, the client and server the default gateways in their respective local network?
Both VPN endpoints have a private static WAN gateway address outside of their local network.
@viragomann said in Access Webserver on openvpn client (site-to-site):
How did you determine this?
I've been using the diagnostic tools in pfsense on the server, traceroute, ping, and Test port.
I have also been using a browser from a remote network (mobile device) with a host record pointing at the external address of the server, which comes in through the WAN and hits a NAT Port Forward rule in pfsense on the server, with the NAT ip of the webserver. Each time I refresh the browser I see an entry in the logs of the pfsense client with the interface as the VPN interface, source as the public ip of the mobile device on the remote network, and destination as the local ip of the webserver on the client LAN (to port 80). This is the furthest Ive seen the request get, and is the closest to the goal.
The traceroute with source address as either the VPN gateway interface, or OpenVPN server goes straight out to the WAN gateway and gets lost in the ether of the service provider network. Presumably this is because it isnt hitting the NAT rule which is specific to port 80.
Can you access any other resources in the remote network?
No I'm unable to access any resources on the client LAN from the server side, other than a ping to the VPN client address and the HTTP request making it through to the VPN interface of the client. Something unusual here is that the Rule reported in the logs is the automatically created "Allow all on OpenVPN" which is a rule on the OpenVPN interface and not the interface that the request is reported to come in on which is manually assigned to ovpnc1.
-
@dbx said in Access Webserver on openvpn client (site-to-site):
The goal is for the webserver to be accessible from the internet, from the server sides LAN would be a nice to have but not essential.
That's possible, however, it needs special settings on the client side.
Are both VPN endpoints, the client and server the default gateways in their respective local network?
Both VPN endpoints have a private static WAN gateway address outside of their local network.
No, the question is if both are the default gateways in the local networks behind them or if there is another upstream gateway used on either site.
@viragomann said in Access Webserver on openvpn client (site-to-site):
How did you determine this?
I've been using the diagnostic tools in pfsense on the server, traceroute, ping, and Test port.
Capturing the traffic on the concerned interfaces gives you the best insight into what's going on.
The traceroute with source address as either the VPN gateway interface, or OpenVPN server goes straight out to the WAN gateway and gets lost in the ether of the service provider network. Presumably this is because it isnt hitting the NAT rule which is specific to port 80.
You wrote, you have configured a host override for the public FQDN. This should point the host name directly to the web server IP on the remote site and should not need a NAT rule at all.
Did you configure it properly?
When capturing the traffic you should see that the packets are going out on the VPN interface on server side.Something unusual here is that the Rule reported in the logs is the automatically created "Allow all on OpenVPN" which is a rule on the OpenVPN interface and not the interface that the request is reported to come in on which is manually assigned to ovpnc1.
So you have already assigned an interface to ovpnc1?
And also added a firewall rule to it for passing the web server access from the remote site?You have to remove any pass rule from the OpenVPN tab.
If you need to pass any other traffic, come back with details to find a solution. -
@viragomann thankyou for the help, I really appreciate it.
@viragomann said in Access Webserver on openvpn client (site-to-site):
That's possible, however, it needs special settings on the client side.
Great, I'm hoping I'm not too far off.
@viragomann said in Access Webserver on openvpn client (site-to-site):
No, the question is if both are the default gateways in the local networks behind them or if there is another upstream gateway used on either site.
Sorry. Yes they are both the default gateways in the local networks behind them.
@viragomann said in Access Webserver on openvpn client (site-to-site):
Capturing the traffic on the concerned interfaces gives you the best insight into what's going on.
I don't have too much experience with this aspect, although I have used wireshark before. I'm unsure how to target the concerned interface. I'll have a try and see what it uncovers.
@viragomann said in Access Webserver on openvpn client (site-to-site):
You wrote, you have configured a host override for the public FQDN. This should point the host name directly to the web server IP on the remote site and should not need a NAT rule at all.
Excellent. I hadn't realised it could be made simpler like that. I added a host override on the server endpoint in pfsense, however if I disable the policy routing rule targetting the CLIENT_VPNV4 gateway and replace it with a simple allow rule the request no longer makes it to the client endpoint.
@viragomann said in Access Webserver on openvpn client (site-to-site):
So you have already assigned an interface to ovpnc1?
And also added a firewall rule to it for passing the web server access from the remote site?
You have to remove any pass rule from the OpenVPN tab.
If you need to pass any other traffic, come back with details to find a solution.Yes I have assigned an interface to ovpnc1 on both the client and the server. Following your advice I removed the any pass rule from the OpenVPN tab and I now see that the correct rule under the assigned interface for openvpn1 is now matched.
-
@dbx said in Access Webserver on openvpn client (site-to-site):
however if I disable the policy routing rule targetting the CLIENT_VPNV4 gateway and replace it with a simple allow rule the request no longer makes it to the client endpoint.
If there is a matching pass rule without a gateway stated and it's allowing access to the remote private IP it should work though.
Policy routing should not be necessary here.Ensure that the IP is resolved properly to the remote private IP.
Maybe the browser resolves via DoH.
If it resolves to the public IP you need to enable NAT reflection in the port forwarding rule for the web server.Yes I have assigned an interface to ovpnc1 on both the client and the server. Following your advice I removed the any pass rule from the OpenVPN tab and I now see that the correct rule under the assigned interface for openvpn1 is now matched.
So the response packets from the web server should be redirected back to the remote site. And access from the internet should already work.
FYI: the OpenVPN is an interface group. It is implicitly added by pfSense, when you configure an OpenVPN instance and covers all your OpenVPN instances, server and clients likewise.
Firewall rules on interface groups have priority over one on member interface. Hence if such a rule matches, the interface rules are disregarded.But for internet traffic an interface rule must be applied to the traffic so that pfSense can add the reply-to tag to the connection, which is required to direct response packets back to the correct gateway.
-
@viragomann said in Access Webserver on openvpn client (site-to-site):
If there is a matching pass rule without a gateway stated and it's allowing access to the remote private IP it should work though.
Policy routing should not be necessary here.Ive checked the DNS using the diagnostic tool on the server endpoint and it does resolve to the remote private ip, but without policy routing pfsense doesnt seem to know to route the request through the CLIENT_VPNV4 gateway.
@viragomann said in Access Webserver on openvpn client (site-to-site):
So the response packets from the web server should be redirected back to the remote site. And access from the internet should already work.
I agree that this is the missing piece in the puzzle, and I think may possible due to my limited understanding of outbound NAT, although you did also mention previously that there is some special settings on the client side.
My current outbound NAT rule has:
Interface: SERVER_VPNV4
Source: Client LAN Subnet
NAT Address: SERVER_VPNV4 address
Source Port, Destination, and Destination Port and NAT Port all as * -
@dbx said in Access Webserver on openvpn client (site-to-site):
Ive checked the DNS using the diagnostic tool on the server endpoint and it does resolve to the remote private ip
The point is what IP the browser is using.
That the DNS resolution is working, says sadly nothing. If the browser uses DoH (DNS over HTTPS) he requests a public DNS server and doesn't care about your local DNS settings.You can check this out in the browsers debugging mode (F12) and look, which IP it is requesting.
You can also capture the traffic on pfSense on the client facing interface. Enter the clients IP into the IP filter and state port "80|443" (means OR) and try to access the web server.
Then look, which IP it is requesting. But you will see some noise there.
However, you can search for the web servers private IP and the public IP.@dbx said in Access Webserver on openvpn client (site-to-site):
you did also mention previously that there is some special settings on the client side.
The special settings, I meant, are the firewall rules. That you have to ensure that a pass rule on the VPN interface (not group) is applied to the forwarded traffic.
My current outbound NAT rule has:
Interface: SERVER_VPNV4
Source: Client LAN Subnet
NAT Address: SERVER_VPNV4 address
Source Port, Destination, and Destination Port and NAT Port all as *This rule makes commonly no sense for a site-to-site VPN.
Such masquerading is needed, when you configure a VPN client for a public VPN service.In a site-to-site you route the traffic to the remote site by entering the remotes network in the VPN settings on both sites.