Proxy server with a twist

  • Hi Everyone

    Hoping someone can give me some advice on a setup For a client of mine.

    My client has a pfsense gateway, that acts as an openvpn client to a system that hosts an app, which LAN users access.

    I need to get 1 user access to thiapplication from outside the network, but I have some restrictions. I am not permitted to create another openvpn tunnel to the users remote computer because the application provider won't allow it. So I need to get the user to connect to the office network First, then out to the remote server.

    The client has also specified they do not want this user to have VPN access to the network from outside.

    What I have come up with is this:

    1. Application is installed on users remote PC
    2. Configure application to use a proxy server host to connect to destination. I would make the proxy server the pfsense box at the office (the application DOES support this)
    3. Once the client is at the pfsense box via proxy, set the traffic from this connection to be routed out over the openvpn link already in use.

    The question is, how would I do this?

    I do not really want to be configuring a proxy host for all other client machines on the LAN. I know squid has a transparent proxy, but I am not sure I really want to implement proxying in the LAN generally, just for this 1 user.

    Can anyone give me any advice on how I can avomplish this goal?

  • LAYER 8 Global Moderator

    Why don't you just let him vpn to pfsense, and only allow him access to the application.  Just because the host of the application doesn't want any more vpns.  Just vpn into your pfsense and then route the traffic out your tunnel to the application.  While firewall his access to your network behind pfsense.

  • This was my original thinking, but there are two problems.

    1. Is that the client specifically requested that they do not want to allow anyone VPN access to the office from outside
    2. I do not want to route any other traffic through the office other than the specific data for this application.

    I know I have fire walling abilities to prevent much of the issue with number 2, overall it makes the setup more complicated. The application itself does not make obvious the fact that it is being proxied, in fact the settings are buried in a config file in the program directory so the user will not need to learn anything new in order to use the app. If I can do what I would like as per above, then the user would not even know that they are connecting through the office gateway.

    The person who needs it is management, but the people who are specifying the requirements are the owners, I need them to be happy with the solution.

    It occurred to me that I might need to install a machine inside the network to perform the job of the proxy, then just route the traffic from that over the VPN, but I thought that might be re-inventing the wheel if I can do it all inside pfsense.

  • Unless I've misunderstood your requirements…

    Rather than create another tunnel into the application, you could use pfsense to create a tunnel out to the remote PC that needs the application access.

    In this mode pfSense would act as an OpenVPN client to access an OpenVPN server running on the remote PC.
    It is another VPN link, but it's a directed one that only accesses the remote PC.

    All the typical firewall capabilities of pfSense then apply and the rest of the network need have no idea that the link even exists.

    I've run pfSense with both clients and server in a few cases where required, it works very well.

  • I see what you are saying here, but I should mention that the remote PC is not company owned equipment either. Which means I am not going to have exclusive access to it.

    This is another reason why I was thinking the manual proxy route would be better.

    No one has so far answered my question, does that mean that it is not possible to do what I am thinking or does it just mean that no one has done it before?

Log in to reply