PfSense as OpenVPN Server behind another firewall



  • Hi all,

    I've placed an old PC-Engines WRAP at a friend's network. He's using another firewall so pfSense has firewall'ing and NAT disabled. I also disabled the WAN interface…

    The Portforwardings on his firewall are working fine and OpenVPN get's connected, additionally there's SSH forwarded so I can always access the WRAP.

    BUT: I can only ping my WRAP but not his network

    Here's how it's setup:

    MacBook (Viscosity) {LAN -> 10.10.10.0/24} - INET {OpenVPN 10.8.0.0/24} - Firewall - WRAP (pfSense 2.0.1) {192.168.10.0/24}

    Server Config on WRAP:

    
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.10.199
    tls-server
    server 10.8.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 3
    push "route 192.168.10.0 255.255.255.0"
    client-to-client
    duplicate-cn
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    
    

    Viscosity Client Config from "Client Export":

    
    #-- Config Auto Generated By Viscosity --#
    
    #viscosity startonopen false
    #viscosity dhcp true
    #viscosity dnssupport true
    #viscosity name Any Name
    remote any-name.dyndns.org 1194 tcp-client
    pull
    tls-client
    tls-auth ta.key 1
    persist-key
    ca ca.crt
    dev tun
    persist-tun
    cert cert.crt
    comp-lzo adaptive
    key key.key
    cipher AES-128-CBC
    tls-remote openvpn.any-name.local
    resolv-retry infinite
    
    

    Here's the output of "netstat -r"

    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            firewall           UGS         0    19385   sis0
    10.8.0.0           10.8.0.2           UGS         0       81 ovpns1
    10.8.0.1           link#8             UHS         0        0    lo0
    10.8.0.2           link#8             UH          0        0 ovpns1
    localhost          link#5             UH          0     3325    lo0
    192.168.10.0       link#1             U           0     9680   sis0
    openvpn            link#1             UHS         0        0    lo0
    
    

    Do I need to add a route? But the Dialog for adding one needs a Gateway and the only Gateway available is his firewall… So I expect I'ld need to add the WRAP himself as a Gateway before adding a route... I'm puzzled!

    Greetz
    Mircsicz



  • The clients on his LAN 192.168.10.0/24 will be using his "real" firewall router as their gateway. So they do not know about the "special" route to your OpenVPN 10.8.0.0/24 through pfSense 192.168.10.199
    a) On the friend's "real" router, add a static route for 10.8.0.0/24 through 192.168.10.199, or;
    b) On each device you care about in 192.168.10.0/24, add a static route.
    Then those things will know how to reply to you.



  • Hi Phil,

    Sorry I did not make clear that I can't Ping from the MacBook to his LAN…

    Greetz
    Mircsicz



  • The ping from your MacBook to his LAN probably arrives at the destination. But the destination does have a route back to your MacBook, so the reply to the ping never comes. Stuff on his LAN has to be told that the pfSense router exists on that LAN and is the way (back) to the VPN link and MacBook client.



  • I guess I need a route like this:

    
    route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.10.254
    
    

    Can you confirm this?

    Greetz
    Mirco



  • Yes, assuming 192.168.10.254 is the WRAP pfSense at your friend's house.
    Obviously the particular route command will vary depending on the OS of the client or router that you need to modify.

    Get your friend to run pfSense as his front-end firewall, then you can make a site-to-site VPN between the 2 houses and a "dial-in" road warrior server to either/both houses, pass or block whatever traffic you want,… All much easier if the whole world standardises on pfSense  ;)



  • Thx, I'll give it a shot later today…

    I think he won't release his "Intranator" 800€ hardware box! But yeah that would definitly make things much easier...

    Greetz
    Mircsicz