Re: [pfSense] Routing some trafic throught OpenVPN
On 2015-Sep-15, at 11:39 PM, Andrej Ferčič [PCklinika]wrote: > Hello! > > I am sure that this issue has been already discussed, but I can not find any > arhive. So, please give me some directions where to search or any link to > thread containig the following: > > 1. Is there any routing throught IPSec VPN possible? (IpSec is solved in > kernel as I know) > 2. How to use OpenVPN to route a specific trafic throught VPN? Let me explain > what I want to solve: The following may also help -- this is the approach I use (along with some additional routing rules) to enable access of various systems from one site to another both through IPsec VPNs and OpenVPN VPNs ... though the blog is in reference to pfSense 2.1, we're now on 2.2.2 with the same setup but using Key Exchange v2 and a server-base pinger to keep IPsec connected [this is a known issue, search the list postings]): http://www.derman.com/blogs/IPSec-VPN-Firewall-Setup#RouteOpenVPNthruIPsec ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Routing some trafic throught OpenVPN
I've made a mistake in firt post. Site A is a branch and Site B is main ofice with WAN1 and WAN2 Andrej Ferčič Poslano z mobilne naprave and...@pcklinika.si | +386 41 71 60 89 > On 16 Sep 2015, at 08:49, Andrej Ferčič [PCklinika]> wrote: > > Hello! > > I am sure that this issue has been already discussed, but I can not find any > arhive. So, please give me some directions where to search or any link to > thread containig the following: > > 1. Is there any routing throught IPSec VPN possible? (IpSec is solved in > kernel as I know) > 2. How to use OpenVPN to route a specific trafic throught VPN? Let me explain > what I want to solve: > > > Site A (branch office) <> IPSec <> Site B (main office) > > > Site A has two WANs. First, lets name it WAN1 is for all Internet access, > WAN2 is dedicated for some special services and uses private IPs 172.x.x.x./16 > > From main office (Site B) is this special service reachable, but I should > reach this WAN2 network, from my branch offices to (Site A) > > Has anybody any idea how to solve this with current IPSec VPNs or changing to > OpenVPN if first is no go ?! > > Thanks, > > Andrej > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Routing some trafic throught OpenVPN
Hello! I am sure that this issue has been already discussed, but I can not find any arhive. So, please give me some directions where to search or any link to thread containig the following: 1. Is there any routing throught IPSec VPN possible? (IpSec is solved in kernel as I know) 2. How to use OpenVPN to route a specific trafic throught VPN? Let me explain what I want to solve: Site A (branch office) <> IPSec <> Site B (main office) Site A has two WANs. First, lets name it WAN1 is for all Internet access, WAN2 is dedicated for some special services and uses private IPs 172.x.x.x./16 >From main office (Site B) is this special service reachable, but I should >reach this WAN2 network, from my branch offices to (Site A) Has anybody any idea how to solve this with current IPSec VPNs or changing to OpenVPN if first is no go ?! Thanks, Andrej ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Routing some trafic throught OpenVPN
On Wed, Sep 16, 2015 at 1:39 AM, Andrej Ferčič [PCklinika] < and...@pcklinika.si> wrote: > > Hello! > > I am sure that this issue has been already discussed, but I can not find any arhive. So, please give me some directions where to search or any link to thread containig the following: > > 1. Is there any routing throught IPSec VPN possible? (IpSec is solved in kernel as I know) > 2. How to use OpenVPN to route a specific trafic throught VPN? Let me explain what I want to solve: > > > Site A (branch office) <> IPSec <> Site B (main office) > > > Site A has two WANs. First, lets name it WAN1 is for all Internet access, WAN2 is dedicated for some special services and uses private IPs 172.x.x.x./16 > > From main office (Site B) is this special service reachable, but I should reach this WAN2 network, from my branch offices to (Site A) > > Has anybody any idea how to solve this with current IPSec VPNs or changing to OpenVPN if first is no go ?! > > Thanks, > > Andrej I would use OpenVPN unless you need IPSec for any specific reason. I have read a few posts to this list where others are having trouble with IPSec VPNs in the current and some past releases (pfsense). These two VPN services are more then adequate to achieve what you would like to do. The concept is: Site A has a OpenVPN server setup. -This server has a rule (definable in the web interface) that says it has access to and therefore can route,vand will route, traffic addressed to Site B. Site B has a OpenVPN client setup that connects to Site A. -This client has a rule (definable in the web interface) that says that it has access to and therefore can route, and will route, traffic addressed to Site A. I suggest that both networks use different subnets and that you use the TUN method in OpenVPN. TUN transports layer 3. TAP transports layer 2. Another choice you have to make is UDP vs TCP. You can get some guidance here: https://www.bestvpn.com/blog/7359/openvpn-tcp-vs-udp-difference-choose/ If you use UDP, you should make sure to setup a tls-auth key (really fo TCP too) as OpenVPN will drop any UDP packets without that authentication method. Good Luck. It is fairly basic but I am sure you will have to play with the configuration on both sides to figure it out. I think pfSense has a wizard that will help you too. Here is a guide also: https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site Web... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Routing some trafic throught OpenVPN
Tnx, for reply VPN with OpenVPN is not a problem at all. I have problems resolving route in OpenVPN. If I add additional interface based on openvpnc, becouse I will need it later when defining gateways, vpns stops. There is stil active connection, but ECHO request does not reply anymore. Here is a guide to set all traffic From Site A over VPN to Site B > Internet https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 , but I want only my destination 172.29.0.0/16 throught the tunnel, everything else should use local GW. Regards, Andrej -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg Sent: Wednesday, September 16, 2015 3:23 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Routing some trafic throught OpenVPN On Wed, Sep 16, 2015 at 1:39 AM, Andrej Ferčič [PCklinika] < and...@pcklinika.si> wrote: > > Hello! > > I am sure that this issue has been already discussed, but I can not > find any arhive. So, please give me some directions where to search or any link to thread containig the following: > > 1. Is there any routing throught IPSec VPN possible? (IpSec is solved > in kernel as I know) > 2. How to use OpenVPN to route a specific trafic throught VPN? Let me explain what I want to solve: > > > Site A (branch office) <> IPSec <> Site B (main office) > > > Site A has two WANs. First, lets name it WAN1 is for all Internet > access, WAN2 is dedicated for some special services and uses private IPs 172.x.x.x./16 > > From main office (Site B) is this special service reachable, but I > should reach this WAN2 network, from my branch offices to (Site A) > > Has anybody any idea how to solve this with current IPSec VPNs or changing to OpenVPN if first is no go ?! > > Thanks, > > Andrej I would use OpenVPN unless you need IPSec for any specific reason. I have read a few posts to this list where others are having trouble with IPSec VPNs in the current and some past releases (pfsense). These two VPN services are more then adequate to achieve what you would like to do. The concept is: Site A has a OpenVPN server setup. -This server has a rule (definable in the web interface) that says it has access to and therefore can route,vand will route, traffic addressed to Site B. Site B has a OpenVPN client setup that connects to Site A. -This client has a rule (definable in the web interface) that says that it has access to and therefore can route, and will route, traffic addressed to Site A. I suggest that both networks use different subnets and that you use the TUN method in OpenVPN. TUN transports layer 3. TAP transports layer 2. Another choice you have to make is UDP vs TCP. You can get some guidance here: https://www.bestvpn.com/blog/7359/openvpn-tcp-vs-udp-difference-choose/ If you use UDP, you should make sure to setup a tls-auth key (really fo TCP too) as OpenVPN will drop any UDP packets without that authentication method. Good Luck. It is fairly basic but I am sure you will have to play with the configuration on both sides to figure it out. I think pfSense has a wizard that will help you too. Here is a guide also: https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site Web... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Routing some trafic throught OpenVPN
On Wed, Sep 16, 2015 at 10:09 AM, Andrej Ferčič [PCklinika] < and...@pcklinika.si> wrote: > Tnx, for reply > > VPN with OpenVPN is not a problem at all. I have problems resolving route > in OpenVPN. If I add additional interface based on openvpnc, becouse I will > need it later when defining gateways, vpns stops. There is stil active > connection, but ECHO request does not reply anymore. > > Here is a guide to set all traffic From Site A over VPN to Site B > > Internet > https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 > , but I want only my destination 172.29.0.0/16 throught the tunnel, > everything else should use local GW. > > Regards, > > Andrej > > It sounds like you are setting it up wrong completely and do not understand how it works. Your English is broken and I am having trouble understanding what specifically you are asking. I would follow that guide, get it working, and go from there. Web.. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold