Remote Access SSL TLS with same IP address in client sides

mitm2010

Hello,

It's possible to configure Remote Access SSL TLS (Client (pfsense-01, Pfsense-02)) to Server (pfsense-03) sites) with the same IP addresses in the client sides?

In my situation I want that client-01 access to win-server-01 in the Pfsense server side and client-02 access to win-server-02 in the Pfsense server side.

Server side:

Pfsense-03: LAN IP address: 172.20.20.1
win-server-01: 172.20.20.10
win-server-02: 172.20.20.11

Client side:
Pfsense-01: 192.168.1.1
win-client-01: 192.168.1.10

Pfsense-02: 192.168.1.1
win-client-02: 192.168.1.10

I tested the config with different addresses and all is good.

When I test this with the same ip addresses in the client sides just one tunnel is up and is used by the two clients.

Any solution for that dear experts :)

Best regards.

viragomann

To get access from clients behind pfSense VPN client to hosts at server side, you either need special routes or do NAT. Don't know, how you have configured it.
With NAT it should work.

mitm2010

Thank you viragomann for your reply,

I have to NAT 192.168.1.10 for client-02 in Pfsense-02 to 192.168.2.0 for example? and add rule to Pfsense-03 to permit access from 192.168.2.0?
I don't have to NAT the first client-01?

Thank you.

viragomann

You have to use Outbound NAT for that and set interface to OpenVPN and translation to interface address. This translates the source address to the OpenVPN clients address when traffic goes out to virtual VPN interface.
So your internal addresses are masqueraded like they are when you access internet hosts, but with your vpn address.

mitm2010

Please can you tell me if I have to configure the outbound NAT in the server side o clients side? and what kind of NAT I choose Automatic outboun NAT rule generation or Hybrid outbound NAT rule generation? I have the Pfsense 2.2.5 version.

For information I use these networks for my tunnels:
Server tunnel: 10.1.1.0/24
Client-01 tunnel: 10.2.2.0/24
Client-03 tunnel: 10.3.3.0/24

Can you give me an example?

Thank you so much for your help.


viragomann

You cannot configure different tunnel subnets at server and client. Server and client must use the same subnet.
You may set up 2 vpn servers, each for one client and run them in peer to peer mode, which may be the common way for your goal. But this is more difficult to configure. I don't know if it also will work with just one server.

The outbound NAT have to be configured at client side. Select "Hybrid outbound NAT rule generation" and click save. This keeps the automatic generated rule for WAN preserved and you can add additional manual rules.
Then add your rule for vpn traffic.

If you use 2 servers, you have to assign an interface to each and also add an outbound NAT rule for each tunnel at server side.

mitm2010

I configured one tunnel (10.1.1.0) for both server and clients.
I configured the outbound hybrid NAT for client-01 and client-02 (screenshot).
For OpenVPN rules i authorized all traffic in the client-01 and client-02 (screenshot).
I see that the NAT rules are note auto-generated !!

I have always the same problem. Just one tunnel is up (screenshot).






viragomann

Now, your clients get the identical virtual IP address. So there is presumably something wrong in your setup.

What are the route entries in server advanced config good for? That's obsolete, so remove this, please.
For pushing routes to client, use the "Locale Network(s)" field. Just enter 172.20.20.0/24 there. Don't enter the clients LAN addresses or subnets, since if you don't need access between clients.

Also remove the iroute from client specific override. For that it's sufficient to enter the hosts or networks in "Remote Network(s)".
If the routing works this way you would not need the outbound NAT rules at clients.

mitm2010

Thank you so much,

When I remove the route and push route commands, the VPN tunnel is up for just one (Screenshot). And no communications between the client-01 or client-02 (windows machines) and the servers (at server side). And no Auto-generated NAT rules.

I don't know what's wrong in the config :(


viragomann

Do you use the same certificate for both clients?

mitm2010

No I use different certificates. But the same CA for both.

viragomann

The same CA is obvious. You create a CA, then you create a server cert and user certs for the clients using this CA. The client certs have to be exported from server and imported at client. I think, you have done this this way.

But now you try to route the  192.168.1.0/24 subnet to both clients (client specific overrides). That's not possible.

Also there must be something wrong in your server setting. Please post the "Client Settings" area.

mitm2010

The CA and certificates exports is previously done when i used the different IP addresses :)

I attached the client settings in the client-01 side (pfsense-01).

Best regards.


viragomann

Please post the server config. At least the section "Client Settings". It must be something wrong there.

mitm2010

I didn't configure the client settings in the server side. In the server side, I just configured the Server and client specific overrides settings.

viragomann

At server configuration tab there is a section called "Client Settings".