• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Securing WLAN with OpenVPN

Scheduled Pinned Locked Moved OpenVPN
13 Posts 4 Posters 6.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    Guest
    last edited by Oct 22, 2006, 12:00 PM

    hi,
    i have a problem configuring openvpn to secure my wlan. i have pfsense rc3 installed on a soekris 4801. i also installed a wlan pci mini adapter so the soekris is acting as an access point.
    i want to secure the wlan using openvpn this time, because before switching to pfsense i secured it using ipsec and thought openvpn would save me some time. but my guess was wrong :)
    i have 1 wan connection with a static ip, one lan (192.168.23.0/24), and the wlan (10.0.23.0/24) interface.
    i have setup dhcp on the wlan interface. i also setup rules on the wlan interface to allow only the dhcp requests and the communication with the openvpn server.
    what i want to do should be not that hard. i want that the wlan clients recieve an address via dhcp, and the must connect using openvpn. ALL the traffic should go through the tunnel.
    dhcp works, and the connection to the openvpn server also. i am able to ping the pfsense box via the tunnel (but only the openvpn address), but thats it. i tried using push "redirect-gateway local def1", etc but that didn't change anything. i cannot reach any host in the wlan subnet nor any that is behind the wan interface, but i am able to ping hosts inside the lan. any ideas what i did wrong?
    kind regards,
    patrick

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Oct 22, 2006, 12:02 PM

      RC3 is no longer supported. Please reflash with 1.0-RELEASE.

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by Oct 22, 2006, 12:10 PM

        @hoba:

        RC3 is no longer supported. Please reflash with 1.0-RELEASE.

        oh i am sorry. must have forgotten the 1. this is the actual release i have installed:  1.0-RC3

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by Oct 22, 2006, 12:13 PM

          @pat:

          @hoba:

          RC3 is no longer supported. Please reflash with 1.0-RELEASE.

          oh i am sorry. must have forgotten the 1. this is the actual release i have installed:  1.0-RC3

          sorry again. im reflashing right now.

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by Oct 22, 2006, 12:35 PM

            @hoba:

            RC3 is no longer supported. Please reflash with 1.0-RELEASE.

            Ok i did reflash it. But it didn't change anything except there are no rules for tun0 anymore in pf.

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by Oct 22, 2006, 12:54 PM

              Did you follow http://forum.pfsense.org/index.php/topic,2228.msg14399.html#msg14399 ?

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by Oct 22, 2006, 12:56 PM

                yes i did.

                1 Reply Last reply Reply Quote 0
                • D
                  dairaen
                  last edited by Oct 22, 2006, 12:59 PM

                  please show me "netstat -r" on a roadwarrior and a LAN server.

                  did you change the gateway of your LAN servers so that they use
                  pfsense?

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by Oct 22, 2006, 1:06 PM

                    @dairaen:

                    please show me "netstat -r" on a roadwarrior and a LAN server.

                    did you change the gateway of your LAN servers so that they use
                    pfsense?

                    ok, this is netstat on the pfsense box :
                    Routing tables

                    Internet:
                    Destination        Gateway            Flags    Refs      Use  Netif Expire
                    default            XXX.XX.XXX.XX    UGS        0    4524  sis1
                    10.0.23/24        link#4            UC          0        0  ath0
                    10.0.23.148        00:18:de:02:88:d3  UHLW        1      95  ath0  1191
                    10.0.23.151        00:07:ba:a3:78:52  UHLW        1    1605  ath0    296
                    10.0.24/24        10.0.24.2          UGS        0        0  tun0
                    10.0.24.2          10.0.24.1          UH          1        0  tun0
                    127.0.0.1          127.0.0.1          UH          0      46    lo0
                    XXX.XX.XXX/24      link#2            UC          0        0  sis1
                    192.168.23        link#1            UC          0        0  sis0
                    192.168.23.1      00:0d:87:18:89:fd  UHLW        1      180  sis0    616
                    192.168.23.146    00:16:d3:25:8a:f9  UHLW        1    13237  sis0    752

                    this is from the roadwarrior :
                    snitch[~]-> netstat -nr
                    Kernel IP Routentabelle
                    Ziel            Router          Genmask        Flags  MSS Fenster irtt Iface
                    10.0.24.1      10.0.24.5      255.255.255.255 UGH      0 0          0 tun0
                    10.0.24.5      0.0.0.0        255.255.255.255 UH        0 0          0 tun0
                    10.0.23.0      0.0.0.0        255.255.255.0  U        0 0          0 eth1
                    127.0.0.0      0.0.0.0        255.0.0.0      U        0 0          0 lo
                    0.0.0.0        10.0.24.5      128.0.0.0      UG        0 0          0 tun0
                    128.0.0.0      10.0.24.5      128.0.0.0      UG        0 0          0 tun0
                    0.0.0.0        10.0.23.254    0.0.0.0        UG        0 0          0 eth1

                    1 Reply Last reply Reply Quote 0
                    • D
                      dairaen
                      last edited by Oct 22, 2006, 1:56 PM

                      …but i am able to ping hosts inside the lan.

                      hmm… just that i get you right, you are able to ping the LAN servers
                      inside your "office" after you connected the tunnel? If thats the case
                      everything worked as supposed, there's no ovpn problem then i suppose.

                      i cannot reach any host in the wlan subnet nor any that is behind the wan interface

                      What do you mean, are there any servers behind your pfsense WAN that
                      you want to be able to reach as road warrior? Can you ping these hosts from
                      you LAN?

                      Please show your network setup from LAN to ISP and where these servers
                      are you want to reach if not inside your office LAN, at the moment i am unsure
                      what exactly your problem is.

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by Oct 22, 2006, 2:34 PM

                        ok i will try to clarify the situation. sorry if that was a  bit messed up.

                        
                                   LAN           -------------            WAN
                           -------------------  | pfsense box |  ----------------------
                                                 _____________
                        
                                                    |   |
                                                    |   |
                                            WLAN    |   | (OpenVPN Tunnel)
                                                    |   |
                                                    |   |
                        
                                                WLAN Client
                        
                        

                        i want to secure my wlan not only by using wpa/wep, instead i want to use openvpn. the vpn tunnel should be established between the wlan client and the pfsense box. i assign addresses via dhcp on the lan and wlan interface. now the problem is that i want that all the traffic should go through the tunnel. if i establish the tunnel i can ping both endpoints and the lan address of the pf box and a host inside the lan. but i cannot reach the interface address of the wlan interface, and as a result of this i cannot resolve names for example. also i cannot ping hosts in the internet.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dairaen
                          last edited by Oct 22, 2006, 9:07 PM

                          hmm… i have no experience with wireless access points, but i think what you
                          are trying to do will not work with ovpn. You want to connect to pfsense
                          over your wireless connection and using ovpn, so you will be given
                          access to your LAN. If you want to reach the internet now, i think the
                          only way will be to "remote desktop" or ssh to an internal box in your
                          LAN and connect from there on.

                          But i am not sure with that, i have no wlan to test this, maybe someone
                          else can.

                          1 Reply Last reply Reply Quote 0
                          • T
                            tdickson
                            last edited by Nov 20, 2006, 10:41 PM

                            If I'm understanding what you want….

                            On your WLAN... only create a rule to allow the OVPN connection.
                            Then you'll push DNS,WINS, and GATEWAY via OVPN
                            also add a push route to your LAN, if you want a connection there.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received