OpenVPN question



  • Until now used simple VPN config - on remote server used Linux and masqueraded incoming VPN connection.

    What was run on Linux side:
    iptables -t nat -A POSTROUTING -s 10.3.0.2/32 -o eth1 -j MASQUERADE
    openvpn –proto tcp-server --comp-lzo --port XXXX --secret key.txt --dev tun2 --ifconfig 10.3.0.1 10.3.0.2

    Until now I used OpenVPN on my PC with following config:

    remote 212.XXX.XXX.XXX
    port XXXX
    proto tcp-client
    dev tun
    tun-mtu 1500
    ifconfig 10.3.0.2 10.3.0.1
    secret key.txt
    persist-tun
    persist-key
    resolv-retry 86400
    ping 10
    comp-lzo
    verb 4
    mute 10

    This worked OK, since I could connect to anything on remote side in 10.0.0.0/8 network.

    Now I'm trying to setup OpenVPN using pfSense in a way that each PC on my LAN could access via VPN remote site - but still using 1 masquerade as it was setup previously.
    With current setting I cannot ping anything at 10.x.x.x from PC's on my LAN, but I can access all from pfSense router.

    Config on pfSense:
    writepid /var/run/openvpn_client0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-client
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    remote 212.XXX.XXX.XXX XXXX
    lport 1194
    ifconfig 10.3.0.2 10.3.0.1
    route 10.0.0.0 255.0.0.0
    secret /var/etc/openvpn_client0.secret
    comp-lzo

    Any ideas what I'm doing wrong, or how to make remote side accessible from LAN?



  • Off hand I would think you did not setup the firewall rules to allow the VPN end-point to talk to the LAN side.  At least there was no mention of any firewall rules configured for the VPN links…

    Check out this tutorial - you will need to substitute your network settings and probably will need to allow private network routing across as well...

    http://pfsense.untouchable.net/tutorials/openvpn/pfsense-ovpn.pdf

    :)

    gm...



  • you cannot create rules on the openVPN interface in pfSense.

    Could you privide a small picture of how your network is setup?
    I see that the pfSense is the client but somehow dont get from where to where you can access what and what not.

    What comes first to my mind is if you can access something from the pfSense but not from the clients that use the pfSense as Gateway that somewhere a route or a push got forgotten and the route back  to the clients that use pfSense as Gateway is unknown.



  • @GruensFroeschli:

    What comes first to my mind is if you can access something from the pfSense but not from the clients that use the pfSense as Gateway that somewhere a route or a push got forgotten and the route back  to the clients that use pfSense as Gateway is unknown.

    Even without picture, you are correct.

    Situation I had before: PC(with OpenVPN client) <–--> DSL Router <----> Internet <----> PC(with OpenVPN server) <----> LAN on remote side

    Now I moved OpenVPN client from my PC to pfSense which is added as DSL router.
    However, I can access LAN on remote side only from pfSense, and not from PC's on my local LAN now.
    Picture that would describe current situation:
    Local LAN (PC's at home) <----> pfSense (as DSL router, etc.) <----> Internet <----> PC (with OpenVPS server) <----> LAN on remote side

    What I want is PC's from my local LAN to access remote LAN.
    Also, PC's from local LAN should be able to access remote LAN as masquaraded as remote PC where OpenVPN server is - which also means PC's from remote LAN can't access PC's on local LAN.

    Previously this worked OK, bot now I don't know what I else need to enable on pfSense to be able to access remote LAN from PC's on my local LAN - although I can access all correctly (on remote LAN) from pfSense router itself.

    Basically, from what I understand I somehow need to NAT local PC's to IP 10.3.0.2 (IP on local side of VPN tunnel) so my connections could go through it. Suppose some masquarading on local (pfSense) side is needed too?

    Hope this explains well my situation, and I just don't know what else I need to change.



  • NATing traffic on the TUN-Interface is not possible.
    Also adding firewall rules to the TUN-interface is not possible.
    But what you are trying to do is on the to-do-wishlist of the openVPN.
    –> http://devwiki.pfsense.org/OpenVPNWishlist

    If you have access to the openVPN server here is what you can do:
    I assume that your remote Network uses your openVPN server as Gateway.
    Add an iroute entry to the openVPN-server-config so that your remote Server knows that the subnet of your local LAN is behind the openVPN client (in this case the pfSense).
    more about the iroute command on the openVPN man-pages --> http://openvpn.net/man.html

    If you want to restrict access from your remote net to your local subnet:
    Since you cannot add firewall rules on the pfSense you have to change that on the openVPN server itself.
    Create a rule that allows access FROM your localsubnet and the VPN subnet,
    and a rule that denies access TO your local subnet and VPN subnet.



  • I see.

    Only problem is I want (well, need) local PC's (on local LAN) to be able to access remote LAN with NAT address of server there.
    I do have full access to that machine.

    So, if I understand correctly, I should make route on remote server for local IP's with iroute, and push "route" commands, while setting NAT on remote server, where OpenVPN server is located?

    Well, will try to fiddle with this later tonight.

    Edit
    Well, found temporary workaround in other post that makes it work:
    Adding in /tmp/rules.debug line:
    nat on tun0 from 192.168.0.0/24 to any -> (tun0)

    .. and doing:
    /sbin/pfctl -f /tmp/rules.debug

    But, AFAIK, this won't work after reboots.. any way to automatize this?


Log in to reply