How do I VPN only 1 host device?
-
I have 1 WAN, 1 subnet and on one of the devices (let's say 192.168.1.2), I want to use the vpn only on that device.
Currently, OpenVPN is setup according to the StrongVPN guide stickied at the top and the VPN is connected.
Without any changes to firewall or NAT rules, all traffic is being pushed through the VPN connection. The only thing that stops it is if I disable the interface altogether. If I try to stop the service, it turns itself back on or just simply never disconnects.
My understanding of the the way a VPN works is host-LAN-WAN-VPN so I need to set NAT outbound for 192.168.1.2 to the VPN IP (although I'm not sure what the difference is between the virtual VPN IP and the actual VPN server IP. For incoming traffic, I need to create a firewall rule allowing all traffic in from the VPN.
Previously, I had those firewall/NAT rules but deleted it all because it wasn't working. Now like I said, I can't get it to stop working without disabling the interface.
What is the best solution? Multiple LAN subnets or is there a configuration solution?
I don't know if this complicates things but my pfsense is virtualized with hyper-v using the regular network adapters (not the legacy ones).
-
I have 1 WAN, 1 subnet and on one of the devices (let's say 192.168.1.2), I want to use the vpn only on that device.
Currently, OpenVPN is setup according to the StrongVPN guide stickied at the top and the VPN is connected.
Without any changes to firewall or NAT rules, all traffic is being pushed through the VPN connection. The only thing that stops it is if I disable the interface altogether. If I try to stop the service, it turns itself back on or just simply never disconnects.
That's what that guide is intended to accomplish.
If you follow that guide and change that last part where it sets the firewall rule on LAN to gateway "LAN net" to "VPN" to instead gateway "192.168.1.2" to "VPN" followed by a rule that passes LAN net to the default gateway you should be pretty close.
-
Usually those vpn guides have a firewall rull that passes the entire lan (usually a /24)
If you change that one rule to the ip address of the client you want to be VPNed (a /32) you should be golden.So basically… what Derelict said....
-
It doesn't work for me. Here are my firewall rules in order from top to bottom.
- Protocol: IPv4, Source: Desktop (alias for 192.168.1.2, Destination: blank, Gateway: VPN
- Protocol: IPv4, Source: LAN net, Destination: blank, Gateway: DHCP WAN
- Protocol: IPv4, Source: blank, Destination: blank, Gateway: default
- Protocol: IPv6, Source: blank, Destination: blank, Gateway: default ipv6
Rules 3 and 4 are there by default but I left them as is because the firewall reads the rules from top to bottom so rules 1 and 2 should take care of traffic for the entire LAN net.
Yet, when I turn on VPN, every since device on my network passes through the vpn, not just my desktop.
-
Using manual outbound NAT?
-
Yes manual outbound NAT although I haven't added any additional outbound NAT rules.
Currently I have 4 outbound NAT rules.
- Interface: WAN, Source:L 127.0.0.0/8, Destination: blank, Destination Port: 500, NAT Address: (my ISP WAN address here), NAT Port: Blank, Static Port: Yes
- Interface: WAN, Source: 127.0.0.0/8, Destination: blank, Destination Port: blank, NAT Address: (my ISP WAN address here), NAT Port: Blank, Static Port: No
- Interface: WAN, Source: 192.168.1.1/24, Destination: blank, Destination Port: 500, NAT Address: (my ISP WAN address here), NAT Port: Blank, Static Port: Yes
- Interface: WAN, Source: 192.168.1.1/24, Destination: blank, Destination Port: blank, NAT Address: (my ISP WAN address here), NAT Port: Blank, Static Port: No
These are the 4 default settings.
Edit: partially deleted because I wasn't being accurate. I've staring at this too long, all day, and its making me delirious.
-
The one you had before…
Interface: OpenVPN, Source: Desktop (my alias for 192,168.1.1), Destination:blank, Destination Port: Blank, NAT Address: (my VPN address here), NAT Port: (VPN port), Static Port: Yes
Remake that one and put it at the top of the list.
BTW - If 192.168.1.1 is your desktop IP, then what is the LAN IP of pfsense?
Did you mean to type 192.168.1.2 as IP of desktop?
-
Yeah ignore what I wrote for that because the source for NAT outbound only has "any," "This Firewall (self)," and "Network" so I wasn't sure what to put there. If I put 192.168.1.0 then my entire subnet would be redirected to the VPN which is not what I want. I thought of creating a separate subnet but I was hoping I didn't have to because I think that could get messy when changing configurations.
Edit: I'm going to try
Interface: OpenVPN, Source: any, Translation: Desktop () and leaving everything else blank.
Edit 2: Okay but I just thought about it. Even if I added that outbound NAT rule, it wouldn't fix anything because it translates everything from my VPN to my 1 host and then it should go down the list, where it should translate everything else to my ISP WAN IP but it doesn't do that.
-
No - you need to have the ip of the desktop in there with a /32 behind it. And it needs to be top of list.
Interface: VPN, Source: 192.168.1.2/32, Destination: blank, Destination Port: blank
-
Why 32? My entire subnet range is only 192.168.1.1 to 192.168.1.254.
-
OK - here is the thing.
There is actually no need to create firewall rules actually if you are using manual outbound NAT.
You can just do it on manual outbound NAT.
Seems like you have mixed together a couple of how-to docs…
The reason you enter a /32 behind the desktop IP is because a /32 is one IP where as a /24 is 255. 256 if you count 0.
-
Interface: VPN, Source: 192.168.1.2/32, Destination: blank, Destination Port: blank, NAT Address: (my VPN address) NAT Port: blank
I just added that rule and my entire network still defaults to the VPN instead of just my desktop.
-
Can you post a pic of your outbound NAT and a pic of your LAN firewall rule?
-
http://i.imgur.com/pQFlQy0.png
http://i.imgur.com/6UHhYfz.png
How do you post images? I'm a newb at forum stuff.
-
may I see you alias for desktop also please?
-
http://i.imgur.com/F3ZnsdP.png
-
In your outbound NAT, what is that 207 address? Why doesn't that just say WAN?
-
its my WAN IP. It says the actual IP instead of WAN because that is the default setting. If I were to remove it and add it again, it would show up as WAN, not the actual IP in numerical form. The only 3 choices in the translation section are interface IP, host alias and other subnet.
-
I'd make it WAN.
Then I would delete those first two firewall rules you added on the LAN where you modified the gateway.
Then try it.
-
Still the same result.
Why are the firewall rules and NAT outbound rules redundant?
From my understanding:
NAT rules translates my internal IP to an externally registered IP.
Firewall rules dictate what traffic can be allowed into my network.
Aren't those 2 different functions?
