Securing WLAN with OpenVPN



  • hi,
    i have a problem configuring openvpn to secure my wlan. i have pfsense rc3 installed on a soekris 4801. i also installed a wlan pci mini adapter so the soekris is acting as an access point.
    i want to secure the wlan using openvpn this time, because before switching to pfsense i secured it using ipsec and thought openvpn would save me some time. but my guess was wrong :)
    i have 1 wan connection with a static ip, one lan (192.168.23.0/24), and the wlan (10.0.23.0/24) interface.
    i have setup dhcp on the wlan interface. i also setup rules on the wlan interface to allow only the dhcp requests and the communication with the openvpn server.
    what i want to do should be not that hard. i want that the wlan clients recieve an address via dhcp, and the must connect using openvpn. ALL the traffic should go through the tunnel.
    dhcp works, and the connection to the openvpn server also. i am able to ping the pfsense box via the tunnel (but only the openvpn address), but thats it. i tried using push "redirect-gateway local def1", etc but that didn't change anything. i cannot reach any host in the wlan subnet nor any that is behind the wan interface, but i am able to ping hosts inside the lan. any ideas what i did wrong?
    kind regards,
    patrick



  • RC3 is no longer supported. Please reflash with 1.0-RELEASE.



  • @hoba:

    RC3 is no longer supported. Please reflash with 1.0-RELEASE.

    oh i am sorry. must have forgotten the 1. this is the actual release i have installed:  1.0-RC3



  • @pat:

    @hoba:

    RC3 is no longer supported. Please reflash with 1.0-RELEASE.

    oh i am sorry. must have forgotten the 1. this is the actual release i have installed:  1.0-RC3

    sorry again. im reflashing right now.



  • @hoba:

    RC3 is no longer supported. Please reflash with 1.0-RELEASE.

    Ok i did reflash it. But it didn't change anything except there are no rules for tun0 anymore in pf.





  • yes i did.



  • please show me "netstat -r" on a roadwarrior and a LAN server.

    did you change the gateway of your LAN servers so that they use
    pfsense?



  • @dairaen:

    please show me "netstat -r" on a roadwarrior and a LAN server.

    did you change the gateway of your LAN servers so that they use
    pfsense?

    ok, this is netstat on the pfsense box :
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            XXX.XX.XXX.XX    UGS        0    4524  sis1
    10.0.23/24        link#4            UC          0        0  ath0
    10.0.23.148        00:18:de:02:88:d3  UHLW        1      95  ath0  1191
    10.0.23.151        00:07:ba:a3:78:52  UHLW        1    1605  ath0    296
    10.0.24/24        10.0.24.2          UGS        0        0  tun0
    10.0.24.2          10.0.24.1          UH          1        0  tun0
    127.0.0.1          127.0.0.1          UH          0      46    lo0
    XXX.XX.XXX/24      link#2            UC          0        0  sis1
    192.168.23        link#1            UC          0        0  sis0
    192.168.23.1      00:0d:87:18:89:fd  UHLW        1      180  sis0    616
    192.168.23.146    00:16:d3:25:8a:f9  UHLW        1    13237  sis0    752

    this is from the roadwarrior :
    snitch[~]-> netstat -nr
    Kernel IP Routentabelle
    Ziel            Router          Genmask        Flags  MSS Fenster irtt Iface
    10.0.24.1      10.0.24.5      255.255.255.255 UGH      0 0          0 tun0
    10.0.24.5      0.0.0.0        255.255.255.255 UH        0 0          0 tun0
    10.0.23.0      0.0.0.0        255.255.255.0  U        0 0          0 eth1
    127.0.0.0      0.0.0.0        255.0.0.0      U        0 0          0 lo
    0.0.0.0        10.0.24.5      128.0.0.0      UG        0 0          0 tun0
    128.0.0.0      10.0.24.5      128.0.0.0      UG        0 0          0 tun0
    0.0.0.0        10.0.23.254    0.0.0.0        UG        0 0          0 eth1



  • …but i am able to ping hosts inside the lan.

    hmm… just that i get you right, you are able to ping the LAN servers
    inside your "office" after you connected the tunnel? If thats the case
    everything worked as supposed, there's no ovpn problem then i suppose.

    i cannot reach any host in the wlan subnet nor any that is behind the wan interface

    What do you mean, are there any servers behind your pfsense WAN that
    you want to be able to reach as road warrior? Can you ping these hosts from
    you LAN?

    Please show your network setup from LAN to ISP and where these servers
    are you want to reach if not inside your office LAN, at the moment i am unsure
    what exactly your problem is.



  • ok i will try to clarify the situation. sorry if that was a  bit messed up.

    
               LAN           -------------            WAN
       -------------------  | pfsense box |  ----------------------
                             _____________
    
                                |   |
                                |   |
                        WLAN    |   | (OpenVPN Tunnel)
                                |   |
                                |   |
    
                            WLAN Client
    
    

    i want to secure my wlan not only by using wpa/wep, instead i want to use openvpn. the vpn tunnel should be established between the wlan client and the pfsense box. i assign addresses via dhcp on the lan and wlan interface. now the problem is that i want that all the traffic should go through the tunnel. if i establish the tunnel i can ping both endpoints and the lan address of the pf box and a host inside the lan. but i cannot reach the interface address of the wlan interface, and as a result of this i cannot resolve names for example. also i cannot ping hosts in the internet.



  • hmm… i have no experience with wireless access points, but i think what you
    are trying to do will not work with ovpn. You want to connect to pfsense
    over your wireless connection and using ovpn, so you will be given
    access to your LAN. If you want to reach the internet now, i think the
    only way will be to "remote desktop" or ssh to an internal box in your
    LAN and connect from there on.

    But i am not sure with that, i have no wlan to test this, maybe someone
    else can.



  • If I'm understanding what you want….

    On your WLAN... only create a rule to allow the OVPN connection.
    Then you'll push DNS,WINS, and GATEWAY via OVPN
    also add a push route to your LAN, if you want a connection there.


Locked