Routing single computer to vpn network

joulester · Mar 28, 2016, 9:59 AM

Hi!

I have an remote access openvpn server running on pfsense that is virtulised on my server with a locked ip on lan side, to an other router 192.168.3.1. what I whant to do is push one of my local clients to the vpn clients (192.168.3.201)

the pc I want to route are virtualised on the same server as pfsense.

the thing I whant to find most on the pushed client is emby or plex.

how do I do? I have tried routing but can manage it to work.

viragomann · Mar 28, 2016, 12:06 PM

So I assume, pfSense isn't the default gateway for the vm hosts you want to access. If it isn't, you either have to nat the vpn traffic to LAN address using oubound NAT on pfSense or you have to add static routes to all the host you want to reach over vpn.

johnpoz · Mar 28, 2016, 9:46 PM

So your trying to use pfsense as just openvpn server with only 1 interface? That is not the default gateway for your devices?

That is not how I would suggest anyone do it that is for sure..

Why do you not jus use pfsense as your wan router/firewall, which really what its designed to be and so much easier to use when used that way as well.

joulester · Mar 29, 2016, 9:26 AM

I know that this Is not the best way to go but I hear to make something work and will probable remake it once I have better knowledge. But the thing I want to do know ere this.

-I have to Nic in the Vm the Pfsense has its own incoming connection as external.
-My Vm (the one i want to push) are on a separate incoming connection.
-My Vm has the default gateway from the other router
-Pfsense internal network are the same as my other routers network but with a static ip

the question is how do I make so the Openvpn users find the pc 192.168.3.201?

I hope you understand :)

joulester · Mar 29, 2016, 9:28 AM

@viragomann:

So I assume, pfSense isn't the default gateway for the vm hosts you want to access. If it isn't, you either have to nat the vpn traffic to LAN address using oubound NAT on pfSense or you have to add static routes to all the host you want to reach over vpn.

I think you have the solution for my problem but I cant seem to make it work. How do I add the static routes?

viragomann · Mar 29, 2016, 10:04 AM

@joulester:

How do I add the static routes?

That depends on the specific operating system.
So if feed Google with " <your os="">add static route", you will get the howto like:
https://technet.microsoft.com/en-us/library/cc757323%28v=ws.10%29.aspx
http://www.cyberciti.biz/faq/ubuntu-linux-add-static-routing/</your>

joulester · Mar 29, 2016, 10:55 AM

I use windows sever 2012 r2. So you mean that I need to setup an static route from the pc to pfsesne and not from my other router to pfsense? I don not need to push some ip in the openvpn server?

viragomann · Mar 29, 2016, 12:36 PM

@joulester:

I don not need to push some ip in the openvpn server?

You have to enter your LAN subnet 192.168.3.0/24 at "IPv4 Local Network/s" to get this route pushed to the vpn clients.
However, your LAN hosts will not know the way to the vpn client to send back responses. It will be sent to the default gateway, which is your router. For some connection it will also work to add a static route to the router, but that's not stable.
So the best solution is to add a static route to each LAN host to send vpn traffic to pfSense.

If you have just one vpn client or you are not interested in the source address of vpn access, you can also easily get it work by natting traffic to LAN address at pfSense.

joulester · Mar 29, 2016, 12:43 PM

Sounds like that it is the NAT solution to go then. Is there any guide or "how to" I can use to manage this?

johnpoz · Mar 29, 2016, 12:50 PM

In this setup you have asynchronous routing problem.. This is always going to have complications…

Replace your router with pfsense and all your problems go away. Put it behind your current router if you so wish, you will have a double nat, but its much easier to work that sort of setup than an asynchronous routing issue when you don't even understand how to add a route to your own devices.

viragomann · Mar 29, 2016, 1:20 PM

I agree. However, if he doesn't care about the vpn clients IP that access the hosts, NAT is a solution and circumvents asynchronous routing.

So go to Firewall > NAT > Outbound. If it if set to automatic rules configuration, check hybrid and hit save the button.
Add a rule by click "+":
Interface: LAN
Protocol: any
Source: <vpn tunnel="" network="">Destination: any
Translation: Interface address

With this NAT rule you can access any LAN host without special routes, but the source IP seen by the hosts is the pfSense LAN address.</vpn>

joulester · Mar 29, 2016, 1:55 PM

@viragomann:

I agree. However, if he doesn't care about the vpn clients IP that access the hosts, NAT is a solution and circumvents asynchronous routing.

So go to Firewall > NAT > Outbound. If it if set to automatic rules configuration, check hybrid and hit save the button.
Add a rule by click "+":
Interface: LAN
Protocol: any
Source: <vpn tunnel="" network="">Destination: any
Translation: Interface address

With this NAT rule you can access any LAN host without special routes, but the source IP seen by the hosts is the pfSense LAN address.</vpn>

Thanks I Will try that. But what you are suggesting are that I use my pfsense as default gateway instead for my other router. Is i better in a sense of restricting separate users to find individual pc on my local network?

Like: User A can find say 192.168.3.201 and 192.168.3.202

But user B can only find 192.168.3.201.

@johnpoz:

In this setup you have asynchronous routing problem.. This is always going to have complications…

Replace your router with pfsense and all your problems go away. Put it behind your current router if you so wish, you will have a double nat, but its much easier to work that sort of setup than an asynchronous routing issue when you don't even understand how to add a route to your own devices.

I'm here because I'm new to this and are trying to learn. I appreciate advice on how I best can resolve this. and the benefits each solution provides.

your suggestion are that I use only the pfsense router. What benefits will that give in restricting users to find my lan?

viragomann · Mar 29, 2016, 2:21 PM

@joulester:

But what you are suggesting are that I use my pfsense as default gateway instead for my other router.

This is the suggested way, so you have distinct routing and there is no need for NAT to access your hosts from vpn.

@joulester:

Is i better in a sense of restricting separate users to find individual pc on my local network?

Like: User A can find say 192.168.3.201 and 192.168.3.202

But user B can only find 192.168.3.201.

You can control vpn access at pfSense anyway.

But the disadvantage of NAT is that you're not able to determine the vpn client at destination hosts, cause the access comes from pfSense's LAN address.

joulester · Mar 29, 2016, 7:52 PM

Thanks! work like a charm I did the NAT solution but will maybe to the other one later on.