Using OpenVpn on the LAN interface



  • I'm trying to configure a pfsense serve to work as the internal, Router DHCP, DNS only.  I have a ASA on the network acting as the gateway and firewall.  I'm wondering what security implication or problems that might come up if I set the VPN server up on the LAN port, and open a port on the ASA to forward VPN traffic to the server.

    I have set up a pfsense server before but have always used the WAN and Firewall.  My big question is when you set vpn up on the WAN the tunnel is mad at that point and not on the unprotected LAN am I opening my self up for a large security hole allowing traffic to the LAN?

    Thank you



  • It doesn't matter if the OpenVPN server is running on WAN or on LAN. You always need a firewall rule which allows traffic for that port and protocol. You need this for WAN and for LAN.

    The only difference between WAN and LAN is that you need PortForwarding when running the VPN server on LAN interface.



  • I understand that there must be rules for the firewall rule which allows traffic for that port and protocol.

    My understanding is that the WAN sits on one side of the pfsense fire wall and the LAN sits on the other. When you set up a vpn server it listens on the WAN port for a request.  When a connection is made the server allows that traffic through the firewall and access to the LAN side of the network.  This is why its best practice to use two different NICs for LAN and WAN.

    In this case there is no WAN port.  The system only has one NIC on the LAN.  This is also the port that allows management of pfsense.  The firewall is being handled by a different device.  If all I do is forward traffic to the server form the other device then do I open my self up for someone to access the server or network?

    So if I understand this right the pfsense firewall is completely by passed and has nothing to do with the connection.  My concern in a nut shell is that on a normal set up the initial connection is happen at or outside the firewall that is not the case in a port forward since, or am i wrong.

    Thanks



  • @abassett:

    I understand that there must be rules for the firewall rule which allows traffic for that port and protocol.

    My understanding is that the WAN sits on one side of the pfsense fire wall and the LAN sits on the other.

    Every interface has its own firewall-rulset.
    Traffic initiated on subnets connected to WAN interface needs to pass the rules on the WAN firewall rulset.
    Traffic initiated on subnets connected to LAN interface needs to pass the rules on the LAN firewall rulset.
    So you could image it like this:

    • pfsense is in the center

    • around pfsense there are firewalls

    • around the firewalls there are interfaces.

    interfaces –- |FW|----pfsense----|FW|----interfaces
                                          |
                                          |
                                        |FW|
                                          |
                                          |
                                    interfaces

    @abassett:

    When you set up a vpn server it listens on the WAN port for a request.  When a connection is made the server allows that traffic through the firewall and access to the LAN side of the network.

    Perhaps I misunderstood you but look at the networkmap I made above. The OpenVPN service is listening between pfsense (central) and Firewall (|FW|). That means if you did not configure a firewall rule to allow traffic for OpenVPN then noone can connect. OpenVPN does not "open" something in the firewall. So to get a connection to the OpenVPN server you first have to open the port in the firewall.

    This is why I said it doesn't matter. You have to open a port and it does not matter if the traffic passes that port to reach the OpenVPN server listening on the WAN interface or if you open the port in the firewall to allow traffic to reach the OpenVPN service listening on LAN interface.

    @abassett:

    This is why its best practice to use two different NICs for LAN and WAN.

    You can run pfsense with just one interface if you want. If you only want to use pfsense to act as an OpenVPN server then this is no problem.

    @abassett:

    In this case there is no WAN port.  The system only has one NIC on the LAN.  This is also the port that allows management of pfsense.  The firewall is being handled by a different device.  If all I do is forward traffic to the server form the other device then do I open my self up for someone to access the server or network?

    So if I understand this right the pfsense firewall is completely by passed and has nothing to do with the connection.  My concern in a nut shell is that on a normal set up the initial connection is happen at or outside the firewall that is not the case in a port forward since, or am i wrong.

    Thanks

    !?!



  • Sorry about that last part was in a hurry and it was not thought out well.

    Thank you for the explanation, I didn't realizes that is how the firewalls worked.

    But I still don't have the answer I want. Let me try the end again and see if I can do it right this time. ;)

    In a typical LAN, WAN set up, the browser access to the admin section is blocked on the WAN but not on the LAN.  Since I am forwarding out side traffic to the LAN port is that making the browser access point vulnerable to attack?

    Example:

    Typical LAN, WAN setup.  This is scure!
    can access the admin section –--> LAN --- |FW|----pfsense----|FW|----WAN <----- Can't access the admin section. VPN Requests
                                                                          ^                          ^
                      this blocks almost nothing---------|                            |---------this blocks almost everything

    What Im thinking of doing.  Not sure this is secure?!?!?!?!
    VPN requests and can access the admin section ----> LAN --- |FW|----pfsense
                                                                                                      ^
                                                  this blocks almost nothing--------

    Is this going to cause a security issue?

    Thank you for your time and good explanations.



  • For VPN the LAN and WAN firewall rules only needs to be configured to allow someone to connect to the listening port of the VPN service. So for OpenVPn you in general need to open port 1194 UDP on this firewall on which the service is listening.

    So your pfsense webGUI must not listen on the same port - but this is probably not the case.

    AFTER a user connected successfully to the OpenVPN server a secure tunnel is established and every traffic runs through this tunnel. Further there is an new "tab" on your pfsense firewall which is called "OpenVPN" and there you can configure additional rules which only affect traffic within the VPN tunnel. So you need to configure the rules for this OpenVPN.

    So all is going this way:

    • You configure the VPN server to listen on a port and an interface

    • you open this port on the corresponding firewall

    • someone can connect to this port/service and can try to authenticate with its credentials

    • when authenticated successfully a VPN tunnel will be established

    • The traffic which comes from the VPN tunnel has its own firewall and firewall rules you need to cinfigure

    And if you do the port forwarding you just forward one specific port from the internet to the VPN server. So someone from the internet only has access to this specific port to the specified server. So if you do not port forward port 80 which is the web GUI then noone can access the webGUI from the internet. Further it would not be possible to run webGUI and VPN server on the same port and same interface.

    Hopefully I understood what you want  ;)



  • The beauty of OpenVPN, is that its an application level solution, so if it helps to visualise it, think of it as you would think of a web server application or a telnet application. In this way, your proposed scenario is perfectly suitable for OpenVPN (and not for other VPN technologies).

    This is unlike the IPSec or PPTP VPNs on your ASA (where I think you might be coming from, from reading your comments) which require specific lower level protocols to work (OSI level 3), and which need direct access to the WAN interface and no playing around with NATs and firewall transversals (it IS possible but its not natural for these VPN technologies).