Openvpn with captive portal



  • I've got a pfsense 1.2.3 box setup as a client to a pfsense 2.0 server.  I've enabled captive portal on the client router so that I can use mac filtering on the LAN segment to keep people from plugging in random devices in the remote location.

    With captive portal enabled I am unable to access any clients on the client LAN subnet from the corporate network through the VPN.  Once I disable captive portal I can access all clients as expected.

    Is this possible?  Can I use captive portal with OpenVPN?

    thanks

    -andy



  • Seems I had to add the tun0 interface as an interface and add and allow all rule and things started working with captive portal enabled.  Couldn't muck with the interface name or the VPN stopped connecting until I removed and readded the interface.  Am I asking for trouble doing this?  Any other issues that might come up from this configuration that anyone can think of?

    thanks!


  • Rebel Alliance Developer Netgate

    You may just want to hardwire the OpenVPN interface name before you settle on this. In the OpenVPN config, just put in "dev tun99;" or something similar, that way it won't change dynamically.

    CP prevents clients from accessing anything (and anything from accessing them) without authenticating first from the portal. Coming in across the VPN is no different than any other path. You may be able to put in an IP and/or MAC bypass for a device you need to access.



  • @jimp:

    You may just want to hardwire the OpenVPN interface name before you settle on this. In the OpenVPN config, just put in "dev tun99;" or something similar, that way it won't change dynamically.

    CP prevents clients from accessing anything (and anything from accessing them) without authenticating first from the portal. Coming in across the VPN is no different than any other path. You may be able to put in an IP and/or MAC bypass for a device you need to access.

    Ok, I added the dev tun0 to the client config since that's the interface I had added there before. Thanks for the tip there!

    I had the client added to the mac bypass but CP would never allow access to the client network across the VPN until I added the interface and added an allow rule.  I could freely ping back to corp from the client network without any trouble though so the mac bypass appeared to be working fine.


  • Rebel Alliance Developer Netgate

    Ok. My only additional advice would be to use a different number besides tun0. Use a higher number as I suggested, e.g. tun99, tun30, etc.

    Otherwise if you add another OpenVPN instance (client or server) in the future, it could get tun0 by chance and this instance would be on another number (or not start at all)



  • Ok, I have fixed that up as well.  Thanks for all your help!


Locked