Kitz Forum
Computers & Hardware => Networking => Topic started by: Ronski on March 25, 2021, 11:00:55 AM
-
So I've been banging my head against the pfSense wall again :wall:
I've updated my server recently, on the old server I had a VPN running, so I could access the network, and my brother could. My need was simply to know I had a secure connection when away on my phone or Android tablet and I've been using OpenVPN for that on my pfSense box. My brothers was that he would use my server as an off site backup - I have a NAS at his house for the same reason.
So as i have pfSense and OpenVPN I thought I'd just add him to that and he could then VPN in and access the server, but I'd forgotten that OpenVPN dumps you on a different network range - really what is the point of that?? Surely the main reasons for connecting back to a home network via VPN is A) You can use a connection you trust, and B) to access items on the network. A works fine, B is an epic fail.
So after much Googling I discover that OpenVPN is setup to use TUN, and I need to set it up to use TAP, after following this guide here (https://forum.netgate.com/topic/42698/how-to-openvpn-tap-bridging-with-lan) and the one linked to in that guide I get precisely no where, well over two hours wasted.
I also discover that the rather smart looking and easy to use OpenVPN Connect windows app doesn't support TAP (neither does the Android App), you have to use some horrible piece of software that is truly awful on Windows, the community edition, which seems to randomly close the window when you're trying to read the countless error messages highlighted in red. It would also automatically load the config stored in the user directory and crash every time I opened it until I deleted that config. Eventually it seemed to connect, but never got an IP address. A truly awful experience.
Rant over :(
So is it possible to use Open VPN in TUN mode, but bridge my LAN 192.168.0.x to Open VPN's range which is 10.0.1.x? That way I can still use the official OpenVPN android app, and we could use the Open VPN Connect app on Windows?
My server has two network sockets, I connected the second and gave it an IP of 10.0.1.254, wasn't sure what to set the gateway to and I got warnings, so left it blank, but it wasn't accessible from the laptop connected via the VPN.
Could I setup two OpenVPN servers on pfSense one for Android access via TUN, and another using TAP, presuming I can get it working?
Alternatively I could just buy a Draytek router, and get rid of pfSense, it really is too complicated for me, guides get out dated quickly, and there's just to much information out there, much of it is out dated, so its difficult to find what I need.
-
I think you can use the "Alternate Configuration" on the network properties, i seem to remember doing it that way with VPNing into my server.
Ian
-
Hi Ian, thanks for the reply, but googling suggests that's just if DHCP fails, then windows will use the alternate IP address.
-
What does it say on that window, someting about more than one network
Run Ipconfig before and after entering details on the alternate cofig window.
Ian
-
There no mention of the IP address I setup in the alternate settings when I run Ipconfig, where it mentions more than one net work, I think that relates to two physically different networks, like one at work and one at home, not two concurrent networks.
-
If I'm recalling correctly, you just need to configure the firewall rules so that the router will NAT between the networks.
For example my VPN Server on my Zen WAN interface is configured as so:
(https://csdprojects.co.uk/forums/pfSense-VPNServer.png)
The only catch being your LAN and the other persons LAN need to be a different subnet or the traffic wont go over the VPN to begin with, but as you have a second network socket you could easily just setup a second LAN on pfSense to deal with that.
If you can't do that, you should be able to port forward from the VPN IP to the server in question, so that the remote LAN is invisible entirely to the client.
-
Thanks Alex, can you elaborate a bit more please, I'd like the simplest method, and not being quite sure what I'm doing I risk breaking something, or inadvertency leaving my network insecure.
The Open VPN server mode is: Remote Access (SSL/TLS + User Auth)
Open VPN gives connected clients an address in the range 192.168.4.x
My network is on 192.168.0.x
My brothers network is on 192.168.1.x
-
Have you gotten to the point where you can at least connect to the OpenVPN server on pfSense?
Some key points just in case you missed something:
Once the server is configured (I can't remember how to do that off the top of my head but the guides cover that) you need to add a rule on the Firewall WAN tab to allow traffic in. Action Pass, IPv4 UDP (I assume you configured OpenVPN as UDP as its recommended), Source Any, Destination WAN address, port range OpenVPN for both from and to.
After configuring OpenVPN you need to add an interface for ovpns0 (or whatever its number is) in Interfaces -> Assignments, before you can actually add firewall rules to allow traffic to pass. You only need to tick Enable Interface and give it a name you will recognise in description, as this is how it shows up on the Firewall page for the next step. Then Save followed by Apply Changes.
You're not going to leave it insecure as only a client with the right key can connect. The rest of the configuration is done on the VPN servers firewall tab, nothing you do there should hurt security as it only applies to a client that has already successfully connected to the VPN.
On the firewall tab for the interface you created for the server you add a Pass rule for Interface (already set to the VPN as were on that tab), address family IPv4, Protocol Any, Source Any, Destination LAN. Save and Apply Changes.
-
Thank you Alex, yes I have the Open VPN server up and running. I've had it set up for a long time now, and just used it on my phone or tablet when we were away from home and want a secure trusted connection.
I've added my brother as a user, and using a Window's laptop tethered to my mobile with Open VPN connect on the laptop I can get a connection, so the laptops public IP is my homes IP and of course Open VPN shows its connected.
Only thing I need to do now is enabled access to my server, which is the bit causing the issue.
What you've said makes sense, so I'll give it a try over the weekend.
One thing I've noticed is the users I've setup for Open VPN can login to the pfSence interface, but nothing is actually displayed. In the user settings, there is a vague check box setting that just says User cannot log in. One guide I read suggests this setting should stop the user from logging into the pfSence user interface, but when checked that user can't connect on Open VPN. Not sure if this is a big, or it applies to everything.
-
I am confused, but if I understand right your issue is you dont like that openvpn is using a 2nd subnet? That isnt compulsory but I think its a good idea. It shouldnt break things been connected to two different LAN subnets at once, but might need to tinker with firewall rules and gateway policies.
-
Hi Chrysalis, yes that is correct, I don't like OpenVPN being on it own subnet, part the reason I use a VPN to my home network is so that I can access stuff on it.
-
So, it's sort of working.
I've created the interface, and the only option that is filled in is the enable interface and the description.
I've created a firewall rule as per below, surely under states shouldn't be 0/0B if it's been passing traffic??
(https://i.postimg.cc/sxQFwMcF/Open-VPN-Firewall-Rule.jpg) (https://postimg.cc/wRpbBTZF)
Now from the Laptop which is tethered to my phone on 4G I can connect with Open VPN.
I can ping pfSense
I can use remote desktop to connect to the server
I can't ping the server
I can't see the server in the network on file explorer
I can't access the server entering its name either such as \\Server\ in file explorer
Open VPN reports its IP address as 192.168.4.3
Windows reports its IP as 192.168.43.94 with DNS server of 192.168.43.1, IPconfig matches this, which is weird.
In Open VPN I specified pfSense as DNS server - I couldn't access the internet on the laptop until I did this
-
That is weird. Did you generate your Windows config using the pfSense OpenVPN Client Export package?
In my OpenVPN Server configuration I have:
IPv4 Tunnel Network: 10.10.0.0/24
In Windows for ipconfig I get:
Unknown adapter OpenVPN TAP-Windows6:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::656d:c52b:6c8c:f551%22
IPv4 Address. . . . . . . . . . . : 10.10.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
tracert Server.lan
Tracing route to Server.lan [192.168.1.253]
over a maximum of 30 hops:
1 69 ms 68 ms 68 ms 10.10.0.1
2 66 ms 59 ms 59 ms Server.lan [192.168.1.253]
ping 192.168.1.253
Pinging 192.168.1.253 with 32 bytes of data:
Reply from 192.168.1.253: bytes=32 time=74ms TTL=63
Reply from 192.168.1.253: bytes=32 time=70ms TTL=63
Reply from 192.168.1.253: bytes=32 time=77ms TTL=63
Reply from 192.168.1.253: bytes=32 time=60ms TTL=63
Ping statistics for 192.168.1.253:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 60ms, Maximum = 77ms, Average = 70ms
pfSense Diagnostics -> States:
VPNS_PLUSNET icmp 10.10.0.2:1 -> 192.168.1.253:1 0:0 2 / 2 120 B / 120 B
-
That is weird. Did you generate your Windows config using the pfSense OpenVPN Client Export package?
Yes, I used client export - Most Clients
In my OpenVPN Server configuration I have:
IPv4 Tunnel Network: 10.10.0.0/24
Mine is set to IPv4 Tunnel Network: 192.168.4.0/24
Prior to adding the the interface and network rule I'm sure the laptop was getting the correct IP address, and OpenVPN shows my private IP as 192.168.4.2, but Ipconfig still reports 192.168.43.94 (See below - note 1)
It turns out the 192.168.43.x is the range used by the hotspot on the phone, so even after connecting the VPN the laptop is not getting it's IP address from OpenVPN but retains the one issued by the phones hotspot.
If I trace route to pfSense IP of 192.168.0.1 it is one hop.
If I trace route to the servers IP I get one hop to 192.168.4.1 then after that it times out.
tracert Server.lan
Tracing route to Server.lan [192.168.1.253]
over a maximum of 30 hops:
1 69 ms 68 ms 68 ms 10.10.0.1
2 66 ms 59 ms 59 ms Server.lan [192.168.1.253]
Note 1. Just noticed in IPconfig, it has Unknown local area connection, and that is set to the correct IP of 192.168.4.2, I've been looking at the wifi adapter :-[
So it's seems it is getting the correct IP, but we must still have some routing issues. Odd how I can RDP into the server, but can't ping or trace route to it (See below - note 2).
I've noticed the following in the OpenVPN logs, although that presumably won't affect routing.
Mar 27 23:10:39 openvpn 10215 92.40.175.118:51329 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 27 23:10:39 openvpn 10215 92.40.175.118:51329 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Note 2. Just realised the firewall on the server will be blocking the different IP range! Turning off the firewall allows both ping, and trace cert to work. Can't quite figure out the rule I need to add for this - I'll work that out tomorrow.
-
Note 2. Just realised the firewall on the server will be blocking the different IP range! Turning off the firewall allows both ping, and trace cert to work. Can't quite figure out the rule I need to add for this - I'll work that out tomorrow.
I don't think it should be, that's what the rule we added was for to allow incoming NAT from any IP and protocol on the VPN to the LAN.
Do you have Redirect IPv4 Gateway set on the OpenVPN server?
-
I don't think it should be, that's what the rule we added was for to allow incoming NAT from any IP and protocol on the VPN to the LAN.
That's the Windows server I'm referring to - if I turn off the Windows firewall trace cert and ping works fine, I tried adding a firewall rule to permit all from 192.168.4.1 to 192.168.4.3 but that didn't work.
Do you have Redirect IPv4 Gateway set on the OpenVPN server?
Yes I do, is that correct?
-
Yes that sounds right. I always keep the Windows firewall off if I can as honestly I think its awful. Its particularly problematic when minor network changes can seem to suddenly trigger Windows to change your network from Private back to Public, causing the firewall to kick-in.
-
I'm pretty sure my brother will know how to set it up - he has a site to site VPN with two Draytek modems either end, he did mention he had to configure something on the Windows firewall.
Yes it can be a pain, and when it changes to public it always seems a pain to find the option to change it back.
Thanks for your help.
-
Spoke to my brother this evening, and he had exactly the same issue when he set up his Draytek site to site VPN, as each end is on a different subnet.
Turns out he'd actually sent me the info when he did his.
This is an extract of what he sent me:
I can remote desktop to my Win10Pro PC from the other end using its local IP address but not it’s machine name unless I add that to "C:\Windows\System32\drivers\etc\hosts".
Windows FW only allows traffic to/from the local subnet, yet the 2 routers HAVE to be on different subnets. I do not want to turn FW off. If I add the remote subnet 192.168.1.0/24 to the scope of “File and Printer Sharing (Echo Request - ICMPv4-In)” FW rule, I can ping it but still no access via Windows Explorer.
I found this https://www.npcglib.org/~stathis/blog/2013/02/18/windows-task-sharing-files-across-different-subnets/ which advocates adding the remote subnet to just the FW rule “File and Printer Sharing (SMB-In)”. It seems to work.
I also found this: https://www.experts-exchange.com/articles/17507/Windows-Firewall-Settings-for-Inter-Subnet-Peer-to-Peer-Networks-File-Sharing.html which advocates changing FW rules for:
File and Printer Sharing (LLMNR-UDP-In)
File and Printer Sharing (NB-Datagram-In)
File and Printer Sharing (NB-Name-In)
File and Printer Sharing (NB-Session-In)
File and Printer Sharing (SMB-In)
On my server I simply had to add the IP's to “File and Printer Sharing (SMB-In)” and “File and Printer Sharing (Echo Request - ICMPv4-In)”, the latter enables ping and trace route. I also added the server name and IP address to the Hosts file, that then allowed me to navigate to the server in file explorer as it didn't appear on the network - often the case with Windows!
I guess the second lot is only required if we wanted to share printers, which we don't.
-
Did you set the 2nd subnet to private or public profile in windows network settings?
-
It's set to private, all working now, thanks.
-
No worries. :) Just be careful and make sure its secure both ends as it will have same firewall permissions as a local network.
-
My brother's pretty paranoid about security, and he'll only connect when he needs to, and this way is more secure than the Windows VPN we used previously.