OpenVPN question

Nick7

Until now used simple VPN config - on remote server used Linux and masqueraded incoming VPN connection.

What was run on Linux side:
iptables -t nat -A POSTROUTING -s 10.3.0.2/32 -o eth1 -j MASQUERADE
openvpn –proto tcp-server --comp-lzo --port XXXX --secret key.txt --dev tun2 --ifconfig 10.3.0.1 10.3.0.2

Until now I used OpenVPN on my PC with following config:

remote 212.XXX.XXX.XXX
port XXXX
proto tcp-client
dev tun
tun-mtu 1500
ifconfig 10.3.0.2 10.3.0.1
secret key.txt
persist-tun
persist-key
resolv-retry 86400
ping 10
comp-lzo
verb 4
mute 10

This worked OK, since I could connect to anything on remote side in 10.0.0.0/8 network.

Now I'm trying to setup OpenVPN using pfSense in a way that each PC on my LAN could access via VPN remote site - but still using 1 masquerade as it was setup previously.
With current setting I cannot ping anything at 10.x.x.x from PC's on my LAN, but I can access all from pfSense router.

Config on pfSense:
writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote 212.XXX.XXX.XXX XXXX
lport 1194
ifconfig 10.3.0.2 10.3.0.1
route 10.0.0.0 255.0.0.0
secret /var/etc/openvpn_client0.secret
comp-lzo

Any ideas what I'm doing wrong, or how to make remote side accessible from LAN?

gmckinney

Off hand I would think you did not setup the firewall rules to allow the VPN end-point to talk to the LAN side.  At least there was no mention of any firewall rules configured for the VPN links…

Check out this tutorial - you will need to substitute your network settings and probably will need to allow private network routing across as well...

http://pfsense.untouchable.net/tutorials/openvpn/pfsense-ovpn.pdf

:)

gm...

GruensFroeschli

you cannot create rules on the openVPN interface in pfSense.

Could you privide a small picture of how your network is setup?
I see that the pfSense is the client but somehow dont get from where to where you can access what and what not.

What comes first to my mind is if you can access something from the pfSense but not from the clients that use the pfSense as Gateway that somewhere a route or a push got forgotten and the route back  to the clients that use pfSense as Gateway is unknown.

Nick7

@GruensFroeschli:

What comes first to my mind is if you can access something from the pfSense but not from the clients that use the pfSense as Gateway that somewhere a route or a push got forgotten and the route back  to the clients that use pfSense as Gateway is unknown.

Even without picture, you are correct.

Situation I had before: PC(with OpenVPN client) <–--> DSL Router <----> Internet <----> PC(with OpenVPN server) <----> LAN on remote side

Now I moved OpenVPN client from my PC to pfSense which is added as DSL router.
However, I can access LAN on remote side only from pfSense, and not from PC's on my local LAN now.
Picture that would describe current situation:
Local LAN (PC's at home) <----> pfSense (as DSL router, etc.) <----> Internet <----> PC (with OpenVPS server) <----> LAN on remote side

What I want is PC's from my local LAN to access remote LAN.
Also, PC's from local LAN should be able to access remote LAN as masquaraded as remote PC where OpenVPN server is - which also means PC's from remote LAN can't access PC's on local LAN.

Previously this worked OK, bot now I don't know what I else need to enable on pfSense to be able to access remote LAN from PC's on my local LAN - although I can access all correctly (on remote LAN) from pfSense router itself.

Basically, from what I understand I somehow need to NAT local PC's to IP 10.3.0.2 (IP on local side of VPN tunnel) so my connections could go through it. Suppose some masquarading on local (pfSense) side is needed too?

Hope this explains well my situation, and I just don't know what else I need to change.

GruensFroeschli

NATing traffic on the TUN-Interface is not possible.
Also adding firewall rules to the TUN-interface is not possible.
But what you are trying to do is on the to-do-wishlist of the openVPN.
–> http://devwiki.pfsense.org/OpenVPNWishlist

If you have access to the openVPN server here is what you can do:
I assume that your remote Network uses your openVPN server as Gateway.
Add an iroute entry to the openVPN-server-config so that your remote Server knows that the subnet of your local LAN is behind the openVPN client (in this case the pfSense).
more about the iroute command on the openVPN man-pages --> http://openvpn.net/man.html

If you want to restrict access from your remote net to your local subnet:
Since you cannot add firewall rules on the pfSense you have to change that on the openVPN server itself.
Create a rule that allows access FROM your localsubnet and the VPN subnet,
and a rule that denies access TO your local subnet and VPN subnet.

Nick7

I see.

Only problem is I want (well, need) local PC's (on local LAN) to be able to access remote LAN with NAT address of server there.
I do have full access to that machine.

So, if I understand correctly, I should make route on remote server for local IP's with iroute, and push "route" commands, while setting NAT on remote server, where OpenVPN server is located?

Well, will try to fiddle with this later tonight.

Edit
Well, found temporary workaround in other post that makes it work:
Adding in /tmp/rules.debug line:
nat on tun0 from 192.168.0.0/24 to any -> (tun0)

.. and doing:
/sbin/pfctl -f /tmp/rules.debug

But, AFAIK, this won't work after reboots.. any way to automatize this?