ubuntu server openvpn to netgate pfsense openvon client

ariban99 · Oct 11, 2024, 1:42 PM

I installed openvon server on ubuntu 22 and i exported the .ovpn file and imported that into pfsense. the connection is up and running but i cant access anything on the ubuntu server. all firewalls all open.
i came across this https://community.openvpn.net/openvpn/wiki/HOWTO#ExpandingthescopeoftheVPNtoincludeadditionalmachinesoneithertheclientorserversubnet
but i still cant get it working. can someone break it down for me in a more user friendly way so that i can do it properly?
i know i need to create client-config-dir ccd and the filename should be the common name of the cert (how do i know or find the common name, it was auto generated by the server script)
also can you give me the exact text that goes in that file. the ubuntu server is 10.8.0.1 and the remote location is 192.168.2.1
thank you
Ben

viragomann · Oct 11, 2024, 3:53 PM

@ariban99 said in ubuntu server openvpn to netgate pfsense openvon client:

i know i need to create client-config-dir ccd and the filename should be the common name of the cert (how do i know or find the common name, it was auto generated by the server script)

If you don't care about which client device in your network is accessing the remote site you can circumvent this with an outbound NAT rule.

Do you need to access the ubuntu server only or also devices behind it?
If the latter is it the default gateway in its local network?

ariban99 · Oct 13, 2024, 2:22 PM

@viragomann the ubuntu server is a pbx in the cloud, i need my phones to connect to the server only. nothing else. only 10.8.0.1
i believe it is the default gateway in its local network.
what outbound nat rule should i apply?

viragomann · Oct 13, 2024, 2:32 PM

@ariban99
First assign an interface to the OpenVPN instance. Interfaces > Assignments. Select the corresponding Client instance (ovpncX) at "available network ports", hit Add, open the new interface, enable it and state a friendly name.

Then add the outbound NAT rule. Select the interface, which you've created above.
source: the subnet, where your phone reside
destination: any (for accessing the internet. Don't know)
translation: interface address (default)

Ensure to enable the hybrid mode on the outbound NAT settings.

ariban99 · Oct 13, 2024, 2:33 PM

@viragomann cool. i will try this. thank you

ariban99 · Oct 13, 2024, 3:06 PM

@viragomann i followed this, but i cant connect to 10.8.0.1
see attached screenshots

viragomann · Oct 13, 2024, 3:11 PM

@ariban99
This is the wrong translation address. Should be the respective interface address, so "PBXUBUNTU address" in this case.

ariban99 · Oct 13, 2024, 3:34 PM

@viragomann like this?
if yes, its still not working.

i logged into the server panel and it says
ip 45.56.162.217
gateway 45.56.162.1
netmask 255.255.255.0

viragomann · Oct 13, 2024, 3:45 PM

@ariban99
Yes.

So you need only to access the server itself using its virtual IP 10.8.0.1 as I got you?
This should work with this NAT rule, presumed your pfSense is the default gateway in your local network.

Can you ping the server from pfSense Diagnostic > Ping?
If it works change the source to the LAN. Should work as well.
If so try to ping it from a LAN device.

ariban99 · Oct 13, 2024, 3:52 PM

@viragomann i got it working the original way.

i create a file in CCD with the name of my common name for the certificate. in that file i put

iroute 192.168.1.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
ifconfig-push 10.8.0.0 255.255.255.0

then in the openvpn server conf file i added
route 192.168.1.0 255.255.255.0

and it works!

viragomann · Oct 13, 2024, 4:02 PM

@ariban99
Edit:
If it works with the client file the outbound NAT rule doesn't work obviously.

ariban99 · Oct 13, 2024, 4:06 PM

@viragomann
correct only the server via 10.8.0.1 i do NOT need anything beyond the server (no other connected clients) yes my pfsense is the default gateway

i did not try ping, i just tried to access the GUI via chrome 10.8.0.1

somehow, by putting the CCD file and adding the server route 192..... it started working and my phones are now connected.

my question is, what is the best way to add 2 more remote locations? i know i need to add the extra CCD files. but for the server side, do i add a new line with the new remote lan subnets
route 192.168.2.0 255.255.255.0
route 192.168.3.0 255.255.255.0

or do i simply add it all in one line like in pfsense GUI as follows
route 192.168.1.0,192.168.2.0,192.168.3.0 255.255.255.0

ariban99 · Oct 20, 2024, 5:09 PM

@ariban99 any advice on the last questions. what do i put in the server conf file for multiple remote locations? in the GUI of pfsense, you put a , in between each subnet, how should i do that in ubuntu for pfsense

viragomann · Oct 20, 2024, 9:10 PM

@ariban99
You need a separate route line for each remote subnet.

Also you need a client file for each client, which you want to access a network behind.