Communicate with an OpenVPN Client from behind the LAN
-
If I have an OpenVPN client connecting to my pfSense OpenVPN server. They're able to talk to the LAN on the ports/IPs that I allow. Can I also setup a communication in reverse (have the LAN client talk back to the OpenVPN client)?
-
Should be pretty much automatic if the rules on LAN (and the client) allow the traffic.
-
So I need an allow to OpenVPN rule on my LAN and use an OpenVPN address (the one from the server pool) when connecting to an OpenVPN client?
-
I'm connected right now. From my LAN I can ping my client connected to the remote access server. There is probably a way to use client-specific settings to set static IPs if necessary.
All you need to do on LAN is be sure traffic from LAN net to the OpenVPN tunnel network (or specific host or whatever) is allowed. The default pass any rule would suffice.
-
Is there a way to setup static IPs to OpenVPN clients and add those IPs to the DNS Forwarder?
-
Don't see why not but it would probably be a two-step process. I don't think there's a hook from OpenVPN into dnsmasq.
-
My tunnel network is 172.29.64.0/24. I just added this to my client-specific override and it worked fine:
ifconfig-push 172.29.64.100 255.255.255.0;
-
How does the OpenVPN Server know which client should get which IP address?
-
The common name in the certificate used to connect references the common name in a client-specific override which contains the ifconfig-push command.
-
Completely missed that tab. Thanks! I do have two more quests:
- Is it possible to see when a client connects and what clients are currently connected?
- If I want to take away a client's access, do I just remove their cert or is there something else I need to do?
-
Completely missed that tab. Thanks! I do have two more quests:
- Is it possible to see when a client connects and what clients are currently connected?
Status->OpenVPN?
There's also a dashboard widget I think.
- If I want to take away a client's access, do I just remove their cert or is there something else I need to do?
Without requiring a username and password (which you could temporarily disable or change) I'm pretty sure you're limited to revoking the cert and using a CRL. System->Cert Manager Certificate Revocation. You'll want to be sure OpenVPN is properly honoring the CRL by thoroughly testing.
-
So my server is 10.10.0.0/24 and I've added the following line to the client override: ifconfig-push 10.10.0.10 255.255.255.0;
But I'm getting the following error: ifconfig addresses are not in the same /30 subnet
-
Never mind. Apparently, you need to check the "Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)." checkbox in the server for this to work.
-
Or you need to statically assign based on topology net30. I think it's something like ifconfig-push 10.10.0.9 10.10.0.10.
But if topology subnet works it's the preferred mode. net30 is being deprecated I think.
