Can't access to Proxmox from outside (OpenVPN client)
-
Hi,
I am testing a configuration in Homelab environment using Proxmox PVE + OpenVPN + pfsense.
OpenVPN server is running fine on pfSense, client is connected, but I have an issue :
This working :
- external client can connect to VM on vlan50.
- external client can connect to WIFI AP on vlan444.
This NOT working :
- external client can't connect to Proxmox VE -> KO
Architecture :
Open VPN fw rules :
In brief, external Open VPN client can access to a physical device on vlan444, but not to pfsense VM on vlan444, despite acces rules.
I probably I missed something in configuration.
Could you please help me to find this ?Thank you.
-
@dvb said in Can't access to Proxmox from outside (OpenVPN client):
This NOT working :
external client can't connect to Proxmox VE -> KObut not to pfsense VM on vlan444
Proxmox or pfSense?
If it's Proxmox ensure that it uses pfSense as default gateway or masquerade the traffic to it.
-
@viragomann said in Can't access to Proxmox from outside (OpenVPN client):
Proxmox or pfSense?
Proxmox
@viragomann said in Can't access to Proxmox from outside (OpenVPN client):
If it's Proxmox ensure that it uses pfSense as default gateway or masquerade the traffic to it.
Sorry it's not enough clear to me.
This rule must authorize traffic from external client to Proxmox :
Here is gateway configuration from Proxmox :
Could you explain what I need to add ?
-
@dvb said in Can't access to Proxmox from outside (OpenVPN client):
Sorry it's not enough clear to me.
This rule must authorize traffic from external client to Proxmox :In fact, and I was not in doubt of that.
Here is gateway configuration from Proxmox :
Well, 172.16.10.254 is the gateway on Proxmox, but without knowing, which device is this IP assigned to this information is pretty useless.
Could you explain what I need to add ?
This depends on what you want to achieve. If the gateway is not pfSense and you want to keep this, then you can masquerade the traffic to Proxmox with an outbound NAT rule.
-
Here is an updated schematic with more informations :
I retried to connect theses 2 devices :
-
I checked OpenVPN rules
-
Rules are identicals, and devices are on the same vlan.
-
Proxmox uses pfSense as default gateway
-> OpenVPN client -> VM Proxmox (172.16.10.21) -> KO
-> OpenVPN client -> physical device (172.16.10.100) -> OKAt this point :
- I don't understand why traffic can reach 172.16.10.100, but not 172.16.10.21.
- Do you confirm it could be solved by adding a rule here ?
-
-
@dvb
So the only reason for this, I can think of, is that Proxmox itself blocks access from outside by it's own firewall.But yes, a masquerading (outbound NAT) rule can also circumvent such firewall restriction.
Enable the outbound NAT hybrid mode.
Add a rule:
interface: vlan444
source: 10.10.10.0/24 (OpenVPN tunnel network)
destination: 172.16.10.21 (Proxmox)
translation: vlan444 address -
@viragomann
It's working, thanks a lot !I've a few questions about this configuration.
-
Firewall / NAT / Outbound
I configured Destination with IP 172.16.10.21, but pfSense registered as network. It seems this setup is using only networks, no individual IP. -> No problem with that ?
Set-up :
Results :
-
Outbound vs OpenVPN
I summarize because it could help other users :
-
To access to a vlan or a device (except Proxmox)
-A single rule in OpenVPN make the job. -
To access to Proxmox server
-A first rule in OpenVPN
-A second rule in Outbound (to circumvent fw restriction).
-> Are you OK with this summary ?
-
-
@dvb said in Can't access to Proxmox from outside (OpenVPN client):
I configured Destination with IP 172.16.10.21, but pfSense registered as network. It seems this setup is using only networks, no individual IP. -> No problem with that ?
To limit the rule to a single IP, enter the IP with a /32 mask.
-
@viragomann said in Can't access to Proxmox from outside (OpenVPN client):
o limit the rule to a single IP, enter the IP with a /32 mask.
Effectively !
Thanks again for your support.
