2.0RC2 + OpenVPN + port-share
-
Hi Everyone,
Installed v2.0 RC2 recently, the upgrade process went fairly smooth. More on the upgrade in a seperate post.
I'd like to migrate my standalone openvpn server to pfSense since in v2.0 there's really cool user management / cert management features.. However, I'm having an issue with setting up the port-sharing feature openvpn has. My specific requirement is to run openvpn on 443 (HTTPS) and share this port with my an SSL webserver (I only have one static IP). Here's the server config as per /var/etc/openvpn/server2.conf:
# more server2.conf dev ovpns2 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local <my public="" ip="">engine cryptodev tls-server server 10.0.50.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server2.php via-env lport 443 management /var/etc/openvpn/server2.sock unix push "route 10.0.0.0 255.0.0.0" push "dhcp-option DOMAIN mydomain" push "dhcp-option DNS mydns" push "dhcp-option DNS mydns" push "dhcp-option NTP myntp" client-to-client ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo port-share ssl.web.server 443</my>Anyone get port sharing to work with openvpn in pfSense 2.0?
-
Does it not work if you put that statement into the custom options box?
-
No it does not. I actually put the port-share line into the custom box when setting up the openvpn server on pfSense. I see openvpn confirming it's getting non-openvpn traffic on the port (i.e. an SSL HTTP request that should be redirected to my HTTP server), but it doesn't seem to be doing anything with the request. Aside from setting up the openvpn server, I have not enable any other specific rules relating to the port-share option. In my particular case, everything is NAT-ed. So openvpn should be redirecting to a server through the LAN interface on port 443. I have an "from any to any on any" rule defined on the LAN interface. Not sure what else I can be missing..
Prior to this feature being available, I have my VPN server running as a CentOS VPN, where I'm Natting 443 to that box. Works flawlessly redirecting HTTPS traffic if required. The NAT rule pertaining to that were disabled when I attempted openvpn setup within pfSense; the firewall/filter rule allowing https inbound was enabled.
I would really like to get this feature going, as it's much easier managing certs, clients and configs through the gui vs. CLI.
Thanks for your help. v2.0 is turning out to be one hell of a firewall. Great job!
-
Shouldn't be anything needed aside from the firewall rule passing that traffic into tcp/443 where OpenVPN is listening.
From the sound of it, OpenVPN would in effect be proxying that traffic through. No extra rules should be needed for that.
It's possible the feature is something that only works on Linux, too, we have encountered that with OpenVPN before.
You could try a packet capture on the LAN side to see if the traffic is being handed off to the server at all.
-
Have you tried putting an ip instead of dns hostname in the config
port-share ssl.web.server 443 -
It worked fine for me. For a test I stuck one pfSense VM behind another, setup OpenVPN on 1194 (tcp) on the one in front, stuck the port share line in there pointing to the target on 443, and then in my browser went to https://out.side.ip.addr:1194/ and it gave me the GUI of the inside router.
-
Possibly this guy is running 2 services on the same port which is not meant by port-sharing :)
-
Hi Everyone,
Thanks for your suggestions. I ended up re-installing RC1 64-bit due to other factors, and tried the port-share option using an explicit IP address vs. DNS name – it now works.
Thanks again for your help.
-
I added a little doc about that handy feature here:
http://doc.pfsense.org/index.php/Sharing_a_Port_with_OpenVPN_and_a_Web_Server -
Thats awesome. Good write up. In my case, it wasn't "just" a web server. I needed to share 443 with openvpn and HTTPS for OWA and ActiveSync/Autodiscover on my Exchange box. Works like a charm. But the key here is to use an IP address vs. hostname/FQDN of the port-share host.
another quick Q – about authentication this time.. LDAP authentication not supported in Remote Access Mode (openvpn) using TLS and User Auth.. Only local database on RC1? Curious if this is on the roadmap in the not too distant future.
Thanks!
-
It's been fixed in current snapshots.
