Help with Virtual IP and OpenVPN?



  • I've been tossing this around in my head for a little while, but I'm unsure what to do.

    I have a /28 at the office that is used for a mail server, a secure file transfer appliance, a web server, etc.  I'd like to add a dedicated Virtual IP for OpenVPN connections that use port 443 (we already have a separate OpenVPN instance on the main IP address).  This VPN would be for our road warriors in order to get around outbound port blocking we've seen at hotels/airports/open WiFi portals.

    Normally, I add an IP Alias type VirtualIP, 1:1 NAT it to a server, and add whatever WAN Rules I need, and I'm done.  Since this OpenVPN server will be running on pfSense itself, I don't think I want to 1:1 NAT the router.  :)

    What is the best and cleanest way to go about this?



  • I suggest to use Localhost as interface for VPN server because this way you can assign access from NAT/port forward to any interface and port you want ( including Virtual IPs ).
    This way you can use multiple external ports that will go to the same server so you can also filter IP access if needed.



  • @n3by:

    I suggest to use Localhost as interface for VPN server because this way you can assign access from NAT/port forward to any interface and port you want ( including Virtual IPs ).
    This way you can use multiple external ports that will go to the same server so you can also filter IP access if needed.

    443 is already taken for forwarding on localhost, and I can't relocate that service (it's deployed in the wild to too many people to easily change).  That's why I need to do this with a VirtualIP.



  • And because you are using VPN server on 127.0.0.1 / any listening port you want ( TCP ) it is no problem to come on wan on 443 TCP ( on any Virtual IP ) and forward to 127.0.0.1 / listening port. ( set on NAT )

    This how I configured my server and depend of country/users IP I also come on other ports (443, 4343, 43434… ) that are forwarded to the same server on 127.0.0.1/43434 TCP


Log in to reply