Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote Access SSL TLS with same IP address in client sides

    Scheduled Pinned Locked Moved OpenVPN
    16 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mitm2010
      last edited by

      Hello,

      It's possible to configure Remote Access SSL TLS (Client (pfsense-01, Pfsense-02)) to Server (pfsense-03) sites) with the same IP addresses in the client sides?

      In my situation I want that client-01 access to win-server-01 in the Pfsense server side and client-02 access to win-server-02 in the Pfsense server side.

      Server side:

      Pfsense-03: LAN IP address: 172.20.20.1
      win-server-01: 172.20.20.10
      win-server-02: 172.20.20.11

      Client side:
      Pfsense-01: 192.168.1.1
      win-client-01: 192.168.1.10

      Pfsense-02: 192.168.1.1
      win-client-02: 192.168.1.10

      I tested the config with different addresses and all is good.

      When I test this with the same ip addresses in the client sides just one tunnel is up and is used by the two clients.

      Any solution for that dear experts :)

      Best regards.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        To get access from clients behind pfSense VPN client to hosts at server side, you either need special routes or do NAT. Don't know, how you have configured it.
        With NAT it should work.

        1 Reply Last reply Reply Quote 0
        • M
          mitm2010
          last edited by

          Thank you viragomann for your reply,

          I have to NAT 192.168.1.10 for client-02 in Pfsense-02 to 192.168.2.0 for example? and add rule to Pfsense-03 to permit access from 192.168.2.0?
          I don't have to NAT the first client-01?

          Thank you.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            You have to use Outbound NAT for that and set interface to OpenVPN and translation to interface address. This translates the source address to the OpenVPN clients address when traffic goes out to virtual VPN interface.
            So your internal addresses are masqueraded like they are when you access internet hosts, but with your vpn address.

            1 Reply Last reply Reply Quote 0
            • M
              mitm2010
              last edited by

              Please can you tell me if I have to configure the outbound NAT in the server side o clients side? and what kind of NAT I choose Automatic outboun NAT rule generation or Hybrid outbound NAT rule generation? I have the Pfsense 2.2.5 version.

              For information I use these networks for my tunnels:
              Server tunnel: 10.1.1.0/24
              Client-01 tunnel: 10.2.2.0/24
              Client-03 tunnel: 10.3.3.0/24

              Can you give me an example?

              Thank you so much for your help.

              ![tunnel networks.png](/public/imported_attachments/1/tunnel networks.png)
              ![tunnel networks.png_thumb](/public/imported_attachments/1/tunnel networks.png_thumb)

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                You cannot configure different tunnel subnets at server and client. Server and client must use the same subnet.
                You may set up 2 vpn servers, each for one client and run them in peer to peer mode, which may be the common way for your goal. But this is more difficult to configure. I don't know if it also will work with just one server.

                The outbound NAT have to be configured at client side. Select "Hybrid outbound NAT rule generation" and click save. This keeps the automatic generated rule for WAN preserved and you can add additional manual rules.
                Then add your rule for vpn traffic.

                If you use 2 servers, you have to assign an interface to each and also add an outbound NAT rule for each tunnel at server side.

                1 Reply Last reply Reply Quote 0
                • M
                  mitm2010
                  last edited by

                  I configured one tunnel (10.1.1.0) for both server and clients.
                  I configured the outbound hybrid NAT for client-01 and client-02 (screenshot).
                  For OpenVPN rules i authorized all traffic in the client-01 and client-02 (screenshot).
                  I see that the NAT rules are note auto-generated !!

                  I have always the same problem. Just one tunnel is up (screenshot).

                  ![client-01 and client-02 rules.png](/public/imported_attachments/1/client-01 and client-02 rules.png)
                  ![client-01 and client-02 rules.png_thumb](/public/imported_attachments/1/client-01 and client-02 rules.png_thumb)
                  NAT-client-01.png
                  NAT-client-01.png_thumb
                  NAT-client-02.png
                  NAT-client-02.png_thumb
                  ![Server side.png](/public/imported_attachments/1/Server side.png)
                  ![Server side.png_thumb](/public/imported_attachments/1/Server side.png_thumb)
                  ![vpn client specific overrides config.png](/public/imported_attachments/1/vpn client specific overrides config.png)
                  ![vpn client specific overrides config.png_thumb](/public/imported_attachments/1/vpn client specific overrides config.png_thumb)
                  ![VPN server config.png](/public/imported_attachments/1/VPN server config.png)
                  ![VPN server config.png_thumb](/public/imported_attachments/1/VPN server config.png_thumb)

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    Now, your clients get the identical virtual IP address. So there is presumably something wrong in your setup.

                    What are the route entries in server advanced config good for? That's obsolete, so remove this, please.
                    For pushing routes to client, use the "Locale Network(s)" field. Just enter 172.20.20.0/24 there. Don't enter the clients LAN addresses or subnets, since if you don't need access between clients.

                    Also remove the iroute from client specific override. For that it's sufficient to enter the hosts or networks in "Remote Network(s)".
                    If the routing works this way you would not need the outbound NAT rules at clients.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mitm2010
                      last edited by

                      Thank you so much,

                      When I remove the route and push route commands, the VPN tunnel is up for just one (Screenshot). And no communications between the client-01 or client-02 (windows machines) and the servers (at server side). And no Auto-generated NAT rules.

                      I don't know what's wrong in the config :(

                      ![OpenVPN status.png](/public/imported_attachments/1/OpenVPN status.png)
                      ![OpenVPN status.png_thumb](/public/imported_attachments/1/OpenVPN status.png_thumb)
                      ClientOverridesConfig.png
                      ClientOverridesConfig.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • V
                        viragomann
                        last edited by

                        Do you use the same certificate for both clients?

                        1 Reply Last reply Reply Quote 0
                        • M
                          mitm2010
                          last edited by

                          No I use different certificates. But the same CA for both.

                          1 Reply Last reply Reply Quote 0
                          • V
                            viragomann
                            last edited by

                            The same CA is obvious. You create a CA, then you create a server cert and user certs for the clients using this CA. The client certs have to be exported from server and imported at client. I think, you have done this this way.

                            But now you try to route the  192.168.1.0/24 subnet to both clients (client specific overrides). That's not possible.

                            Also there must be something wrong in your server setting. Please post the "Client Settings" area.

                            1 Reply Last reply Reply Quote 0
                            • M
                              mitm2010
                              last edited by

                              The CA and certificates exports is previously done when i used the different IP addresses :)

                              I attached the client settings in the client-01 side (pfsense-01).

                              Best regards.

                              ![client settings.png](/public/imported_attachments/1/client settings.png)
                              ![client settings.png_thumb](/public/imported_attachments/1/client settings.png_thumb)

                              1 Reply Last reply Reply Quote 0
                              • V
                                viragomann
                                last edited by

                                Please post the server config. At least the section "Client Settings". It must be something wrong there.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mitm2010
                                  last edited by

                                  I didn't configure the client settings in the server side. In the server side, I just configured the Server and client specific overrides settings.

                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann
                                    last edited by

                                    At server configuration tab there is a section called "Client Settings".

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.