HOWTO Road Warrior to remote Subnet on LAN

Guest

Hi there, I've configured the Openvpn for road worrior and is working perfect to access any host in the LAN segment. Now my problemis how to access a remote subnet located at corporate network.

As show in the attached diagram the road warriors has an IP assigned by PFsense OpenVPN, 10.0.8.x they can browse any IP on the lan segment 172.27.110.0/24 but cant access any service located on remote corporate network 192.168.100.x or 10.200.0.100.

I've add some push commands as follows:
push "route 172.27.110.0 255.255.254.0";
push "route 192.168.100.0 255.255.255.0";
push "route 10.200.0.0 255.255.255.0";
push "route 172.27.101.0 255.255.255.0";

I've the limitation, I can't make any modification at corporate network, servers or firewall.

So what can I do?

Thanks for your help, Regards
Alfredo

rwebb616

What is the lan user's default gateway set to and how do they access the corporate network?  Do they have static routes?

-Rich

Guest

The LAN user default gateway is the Corporate FW 172.27.110.1, and can't change it. I've already working a IPCOP+OpenVPN doing this, without any problem, the configuration was made about two years ago, but  I don't have all the details on how it was done.

Cry Havok

If it works with IPCop then it suggests you haven't fully copied the configuration. You need to compare the client and server configurations, and the routes for the VPN servers, and see what is different.

Guest

I'm sure I didn't copy everything, but don't now what's missing, my knowledge of linux or FreeBSD is very limited.

I guess I've to do some kind of NAT or bridging from openvpn clients sunet (10.0.8.x) to lan (172.27.110.x), so they look like local users for the corp network firewall, but  I'm not sure how to do this.

So if somebody has a suggestion, I'll appreciate it very much.

Cry Havok

With 2.0 (still in pre-release form) that happens automatically ISTR. With 1.2.3 you have to manually configure the NAT - a search of the forum should provide details.

Guest

Thanks for your comments, I'm working with the latest 2.0 RC1, so NAT is automatic? or I've to set something?

Remote servers at corporate network, see what IP? the PFsense LAN IP?

regards
Alfredo

Cry Havok

You probably want to search the forum ;)

I've not used OpenVPN with pfSense 2.0 so I can only go by what others have posted.

jimp

The kind of NAT you need is not automatic. You need to be on manual outbound NAT and have an outbound NAT rule on LAN that matches traffic from the OpenVPN client subnet, to the "corporate" subnet(s), that gets NAT applied in some way. You can simply NAT to the Interface address if you want, then it would appear to come from the firewall's IP on that segment, or you could add a proxy ARP or CARP VIP and use that.

Guest

Thanks JIMP, I've looked everywhere in the forum, and I didn´t find anything useful. So I'm trying to follow your instructions, and did the follwing:

1.- Create a virtual IP (172.27.1100.156)
2.- Asign outbout NAT to network 10.0.8.0/24 to LAN IP 172.27.110.156

So I guess users on VPN subnet 10.0.8.x will show 172.27.110.156 to LAN or corporate devices, or I'm wrong?

Config as show in next pictures, please tell me if I'm ok or what's wrong.

jimp

Yes, OpenVPN client traffic leaving LAN will appear to come from 172.27.110.156 to things on (or beyond) LAN.

You may not want that for traffic to LAN IPs, so you may want to adjust that so the nat doesn't get applied when going to the LAN subnet, only to other subnets.

Guest

I've just tested using a 3G modem and works perfectly, I can reach any service available to LAN users form OpenVPN Users.

Thanks for your help