ubuntu server openvpn to netgate pfsense openvon client

ariban99

I installed openvon server on ubuntu 22 and i exported the .ovpn file and imported that into pfsense. the connection is up and running but i cant access anything on the ubuntu server. all firewalls all open.
i came across this https://community.openvpn.net/openvpn/wiki/HOWTO#ExpandingthescopeoftheVPNtoincludeadditionalmachinesoneithertheclientorserversubnet
but i still cant get it working. can someone break it down for me in a more user friendly way so that i can do it properly?
i know i need to create client-config-dir ccd and the filename should be the common name of the cert (how do i know or find the common name, it was auto generated by the server script)
also can you give me the exact text that goes in that file. the ubuntu server is 10.8.0.1 and the remote location is 192.168.2.1
thank you
Ben

viragomann

@ariban99 said in ubuntu server openvpn to netgate pfsense openvon client:

i know i need to create client-config-dir ccd and the filename should be the common name of the cert (how do i know or find the common name, it was auto generated by the server script)

If you don't care about which client device in your network is accessing the remote site you can circumvent this with an outbound NAT rule.

Do you need to access the ubuntu server only or also devices behind it?
If the latter is it the default gateway in its local network?

ariban99

@viragomann the ubuntu server is a pbx in the cloud, i need my phones to connect to the server only. nothing else. only 10.8.0.1
i believe it is the default gateway in its local network.
what outbound nat rule should i apply?

viragomann

@ariban99
First assign an interface to the OpenVPN instance. Interfaces > Assignments. Select the corresponding Client instance (ovpncX) at "available network ports", hit Add, open the new interface, enable it and state a friendly name.

Then add the outbound NAT rule. Select the interface, which you've created above.
source: the subnet, where your phone reside
destination: any (for accessing the internet. Don't know)
translation: interface address (default)

Ensure to enable the hybrid mode on the outbound NAT settings.

ariban99

@viragomann cool. i will try this. thank you

ariban99

@viragomann i followed this, but i cant connect to 10.8.0.1
see attached screenshots Screenshot 2024-10-13 050918.png Screenshot 2024-10-13 051008.png

viragomann

@ariban99
This is the wrong translation address. Should be the respective interface address, so "PBXUBUNTU address" in this case.

ariban99

@viragomann like this? Screenshot 2024-10-13 053300.png
if yes, its still not working.

i logged into the server panel and it says
ip 45.56.162.217
gateway 45.56.162.1
netmask 255.255.255.0

viragomann

@ariban99
Yes.

So you need only to access the server itself using its virtual IP 10.8.0.1 as I got you?
This should work with this NAT rule, presumed your pfSense is the default gateway in your local network.

Can you ping the server from pfSense Diagnostic > Ping?
If it works change the source to the LAN. Should work as well.
If so try to ping it from a LAN device.

ariban99

@viragomann i got it working the original way.

i create a file in CCD with the name of my common name for the certificate. in that file i put

iroute 192.168.1.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
ifconfig-push 10.8.0.0 255.255.255.0

then in the openvpn server conf file i added
route 192.168.1.0 255.255.255.0

and it works!

viragomann

@ariban99
Edit:
If it works with the client file the outbound NAT rule doesn't work obviously.

ariban99

@viragomann
correct only the server via 10.8.0.1 i do NOT need anything beyond the server (no other connected clients) yes my pfsense is the default gateway

i did not try ping, i just tried to access the GUI via chrome 10.8.0.1

somehow, by putting the CCD file and adding the server route 192..... it started working and my phones are now connected.

my question is, what is the best way to add 2 more remote locations? i know i need to add the extra CCD files. but for the server side, do i add a new line with the new remote lan subnets
route 192.168.2.0 255.255.255.0
route 192.168.3.0 255.255.255.0

or do i simply add it all in one line like in pfsense GUI as follows
route 192.168.1.0,192.168.2.0,192.168.3.0 255.255.255.0

ariban99

@ariban99 any advice on the last questions. what do i put in the server conf file for multiple remote locations? in the GUI of pfsense, you put a , in between each subnet, how should i do that in ubuntu for pfsense

viragomann

@ariban99
You need a separate route line for each remote subnet.

Also you need a client file for each client, which you want to access a network behind.