Route help please



  • Ok so I got my pfsense box connected via openvpn to my openvpn server at work.

    I want my lan clients behind my pfsense box to be able to route 172.20.xxx.xxx via openvpn and everything else to go out through my default gateway.

    What do I need to do to accomplish this?

    TIA!

    pfsense 2.1 release i386



  • ok so basically I have a site to site openvpn. I just can get the clients on the openvpn client side to reach the clients behind the server.
    The pfsense openvpn client can ping out to the clients behind the openvpn server…



  • I am starting to think this is impossible… I have done everything I can think off and I get no spoon :(



  • What is the OpenVPN server at work - running on pfSense or?
    Is the work OpenVPN server on the work router, or some other box at work?
    If you can ping from client pfSense to work, then client pfSense knows the route to work LAN across the OpenVPN site-to-site link. And work can reply, because the work router will have the site-as-site link as one of its direct-connected networks, thus able to reach client pfSense in a single hop.
    It sounds like work router does not have a route to client LAN. Work router OpenVPN server config will the need the equivalent of the "Remote Network/s" box filled in.



  • @phil.davis:

    What is the OpenVPN server at work - running on pfSense or?
    Is the work OpenVPN server on the work router, or some other box at work?
    If you can ping from client pfSense to work, then client pfSense knows the route to work LAN across the OpenVPN site-to-site link. And work can reply, because the work router will have the site-as-site link as one of its direct-connected networks, thus able to reach client pfSense in a single hop.
    It sounds like work router does not have a route to client LAN. Work router OpenVPN server config will the need the equivalent of the "Remote Network/s" box filled in.

    Thanks for your reply!!!

    It's a OpenVPN server. Not a pfsense.
    Well There is no router at work. Our vpn server sits right on a unmanaged T1 line.
    Now outside of the vpn server the switches do routing at layer 3.

    The openvpn server pushes the routes down to my pfsense box.

    My pfsense box can ping every host on other side of the vpn server.

    It's only my systems behind my pfsense that can not ping to the hosts on the vpn.

    I looked in the logs of the openvpn server and I am getting this when I try to ping a host….

    RwrWRwrWRwrWRwRWed Sep 25 12:29:58 2013 us=724862 pfsense/MYIP:15007 MULTI: bad source address from client [MYNATIP], packet dropped

    I think I am getting close.

    Any thoughts?



  • In this case, the pfSense client has a whole network behind it. But I suspect that the OpenVPN server is expecting single "road-warrior" clients to connect, which just use the tunnel IP address allocated by the OpenVPN server.
    Somehow you need to teach the OpenVPN server that there is a whole LAN subnet reachable behind the pfSense client.
    I can't help with the detail of that. How to do it will depend on what the "OpenVPN server" actually is - what software it uses to setup and configure the server. But do post more detail about the OpenVPN server (what software it is) and someone might be able to tell you how to configure it.



  • Thank you for your reply.

    It's not an application in the sense of an appliance.

    It's a Centos server with OpenVPN installed.



  • You are talking OpenvpnAS?



  • @kejianshi:

    You are talking OpenvpnAS?

    [root@vpn ~]# openvpn –version
    OpenVPN 2.3.1 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on May 24 2013
    Originally developed by James Yonan
    Copyright (C) 2002-2010 OpenVPN Technologies, Inc. sales@openvpn.netCompile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
    [root@vpn ~]#/sales@openvpn.net



  • You should just dump that and run openvpn directly out of pfsense.  Assuming pfsense is your router/firewall its less problematic to have it on the router.



  • @kejianshi:

    You should just dump that and run openvpn directly out of pfsense.  Assuming pfsense is your router/firewall its less problematic to have it on the router.

    This is an enterprise env. I am doing this as a small approach for my self to gain access to the management network 27x7.  It is never a solution to tell somebody "dump that" and replace it "with this". Don't get me wrong I am glad that you reply and try to help but your suggestion was very poor. Eventually I will get a VPN appliance installed at my premises… I just need a quick solution in the meantime.

    Again Thanks for the help kejianshi.



  • You don't understand - I have both.  Before my system was similar to yours.  I used to run openvpn on a separate system inside the LAN but it was less problems to run it on pfsense alone.  Without knowing that moving your vpn to pfsense isn't something you can do, I'd assume I'm giving you good advice.  NOW that I know you have to keep it seperate, apparently:

    How many people will be using your vpn?  Just you are many?



  • @kejianshi:

    You don't understand - I have both.  Before my system was similar to yours.  I used to run openvpn on a separate system inside the LAN but it was less problems to run it on pfsense alone.  Without knowing that moving your vpn to pfsense isn't something you can do, I'd assume I'm giving you good advice.  NOW that I know you have to keep it seperate, apparently:

    How many people will be using your vpn?  Just you are many?

    kejianshi,

    Ahhh! I see. Ok I am now at the same page you are.

    What they did is stand up a vpn server with small satellite offices connecting to it. The satellite servers connect to the server and they can communicate with everybody on the LAN and others just fine.
    It's the same approach. Centos servers with openvpn as clients. Also we have ccd files defining their networks for openvpn.

    There is about 10 Offices connected to it. And now I am trying to connect my pfsense to it as well.

    I might discard the idea all together given the complicated aspect of it. Though it would be nice to use this approach. I dislike the idea of a vpn appliance if I have a pfsense box :)

    Your thoughts?



  • If its just you, and you can install as VM install your LAN, I'd suggest you download ubuntu from the web and install openvpnAS server inside of it.  I like the OpenvpnAS server for anyone who just needs to provide a "door in" for himself or maybe one other because it has a web management GUI that is very simple to work with. It you expose that gui to the web, you can manage it remotely, download a client config anywhere on any machine.  It very sweet for 2 people for free.  More than 2 licenses will cost you, but first 2 accounts are free, full featured and never expire.

    Its quite simple to add routes etc also.  I'd prefer to do it from pfsense directly, but this is my next best recommendation.



  • @kejianshi:

    If its just you, and you can install as VM install your LAN, I'd suggest you download ubuntu from the web and install openvpnAS server inside of it.  I like the OpenvpnAS server for anyone who just needs to provide a "door in" for himself or maybe one other because it has a web management GUI that is very simple to work with. It you expose that gui to the web, you can manage it remotely, download a client config anywhere on any machine.  It very sweet for 2 people for free.  More than 2 licenses will cost you, but first 2 accounts are free, full featured and never expire.

    Its quite simple to add routes etc also.  I'd prefer to do it from pfsense directly, but this is my next best recommendation.

    Thank you kenjianshi.

    I will look in to it!



  • The way they do it now is fine, but doing it all from within pfsense is less overhead system-wise.  Less machines to take care of.  Also, the routes are more likely to work.  Less NAT.  Its also free for as many users as you like.

    But again, if doing it from within pfsense isn't something you can do, Openvpn AS is also great.  Costs for more than 2 licenses though.



  • Incase it gets confusing trying to figure out exactly where to download from:

    http://openvpn.net/index.php/access-server/download-openvpn-as-sw.html

    Pick an OS, install the OS of your liking (I like ubuntu for something like this but mine is in Centos for other reasons).

    Then download and install the correct package.

    Forward 1 port for access to client web, 1 more for admin access and one other for the vpn its self to this machine.

    All done - enjoy.

    Later, try to get everyone on pfsense - Its really the best way long term.



  • For those interested.

    All I had to do was add a line to my iptables:

    -A POSTROUTING -s XXX.XXX.0.0/24 -d XXX.XXX.0.0/16 -j MASQUERADE

    Than add a route to my openvpn conf file for my subnet behind my firewall.

    and than add a ccd.

    Done.



  • Guess you didn't like the OpenvpnAS idea?

    I'm glad its working well for you.



  • @kejianshi:

    Guess you didn't like the OpenvpnAS idea?

    I'm glad its working well for you.

    kejianshi,

    Thanks for recommendation. I will try it eventually. I just couldn't see my self changing existing infrastructure.

    Again thank you!


Log in to reply