make a couple of open vpn client hosts accesible from open vpn server LAN

Hi everyone, i'm tring to make a couple of open vpn client hosts accesible from open vpn server LAN but i'm missing a rule of course. openVPN Server is running on a pfsense client is running on Mikrotik i'm struggling to set the right rule to reach the bridge interface network of the mikrotik. Anyways i can ping openvpn-out1 ip from pf sense with no issue. I know that's just a couple of info...
W
w33t480d ago
I'm not entirely sure of your network architecture but you may need to setup a static route between the two. So, you're saying LAN, meaning it's all locally routed, right? It doesn't go out over the internet?
L
lepomin480d ago
not directly connected to the internet....basically i think i have to set a rule in pfsense telling that the traffic destinated to that ip must go inside openvpn server and should be redirected to the client and then to the final open vpn client network...hehe i'l draw something with some minus signs and a couple of >< that's better i set a couple of static routes in the client that's the mikrotik
W
w33t480d ago
Yeah, you'll definitely need to draw that out for me lol. It almost sounds like it's being overcomplicated but I'm not entirely sure. You may need to do some level of port forwarding. It's been a minute since I've used a pfSense FW, so I don't remember specifically how to do that but @DirtyJ has one and might be able to help if you can't figure out that specific part. But by default, it's going to reach out over its known port, so if that's getting blocked, the routing may be fine but the port traffic may be getting blocked.
L
lepomin480d ago
what port?
W
w33t480d ago
So, I just saw that diagram and I think you may be over complicating this. What you can do is setup a point to point VPN between your two edge firewalls Lets say you have site A with a private range of 192.168.0.1/24 and site B with a private range of 192.168.1.1/24. Notice how they're different subnets. That's important, as you're gonna have a bad time if you have two identical LANs. Both site A and B will negotiate the site to site connection and maintain the connection. If you're at site A and you try to connect to 192.168.1.5, it'll hit the edge router and it will know "alright, I have a point to point (p2p) connection with a route over that tunnel to reach 192.168.1.5 and it will forward the traffic. With this setup, the individual clients on your LAN don't need the openvpn client because you've got a persistent p2p connection going. Now, that leads me to OpenVPN. If you're able to, I recommend WireGuard. It's faster and just overall better than OpenVPN https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-psk.html This is technically deprecated but you can get the general gist of things If you're not familiar with certificates, you might wanna go the PSK route
L
lepomin480d ago
everything is already setup.. i just cannot ping the lan2 of the diagram from the server of course
W
w33t480d ago
I'd do a pcap and see where it is failing tbh. Probably the best way to narrow it down source: pinging machine's IP service/protocol: ICMP
D
DirtyJ480d ago
Totally wasn't asleep @weet :P Can't think of any other obvious things outside of the example you gave. Pcap should get you headed in the right direction.
L
lepomin480d ago
would you configure a static route in my pfsense in order to forward the packets to openvpn server interface? i still haven't succed in doing that. But for me it's pretty obvious pcs in the lan behind the pfsense have the pfsense as gateway and then they reach the internet through the router.
W
w33t480d ago
I think you'd need to, yeah. I know I need to on FortiGates. I have to make a static route that says "if you're trying to reach x network, go out over this interface".
L
lepomin480d ago
i added psh route "LANipofclient subnetmask" in custom options of my pfsense openvpn server, then i opened whireshark after the installation of npcap and i ping some host on the client network. It seems the client is trying to send back a icmp package
W
w33t480d ago
Ahh, so it's at least reaching it. You need to have the same rules in reverse, basically, so maybe that's where the problem lies? I wish you had some FortiGates, they're so much easier, in my experience And they look cool bigkek
L
lepomin480d ago
it says Destination unreachable (port unreachable)
W
w33t480d ago
You may need to allow the ICMP protocol through in the firewall(s) But also ICMP doesn't run over any ports
L
lepomin480d ago
i see also a packet from the external ip of the client trying to reach the host i used for pinging shouldn't that work inside the tunnel so that i dont't need any other firewall rule? in that case i read network unreachable should i configure any firewall on the client side? I found a nice diagram about openvpn flow
W
w33t479d ago
Probably so, yeah
L
lepomin460d ago
any news? i'm reasy for some serious tests.
W
w33t460d ago
I'm still confused, news on what? And what tests?
L
lepomin460d ago
you should see the entire conversation here am i right?
W
w33t460d ago
Yes, I see it but I'm confused as to what news you're waiting for.
L
lepomin460d ago
i think i'm missing some routes
W
w33t460d ago
I mean sure, probably but it's kind of hard to help here when I can't see your configuration lol. Your routes should basically say "if you're trying to get to this subnet, go over this interface"
L
lepomin460d ago
we must do some tests to troubleshoot the issue... for example: i'm on the private network LAN behind my openvpn server that is on my pfsense... i want to ping from LAN the network my mikrotik is giving to the clients on the other side... i can do the other way instead...without any issue we have to check routing options...because pfsense must know if an host is trying to reach the network of the client on the other side...it should reach it through the openvpn server virtual adapter...