Jump to content
  • 0

Question

Posted

Hello All,

I am after some help with my PfSense installation and hope that someone can help me out. What i am trying to do is setup a VPN connection to my home network so that when i am away from home i can access some shares that i have setup on one of my servers.

[b]The PfSense:[/b] 192.168.33.1
[b]The DHCP Range:[/b] 192.168.33.100-200

is there a way that in PfSense i can setup a VPN to allow me to do what i want?

Thanks
Richard

Share this post


Link to post
Share on other sites

37 answers to this question

  • 0

Posted

Yes once your in, you should be able to access anything on your network just like you were there, just a bit slower. You might have to use IP, or fqdn to access - you didn't have netbios enabled.

check out that [url="http://www.thesparklabs.com/viscosity/"]http://www.thesparklabs.com/viscosity/[/url] client - its for mac. I don't think its free though.

You might have to change your lan rules to be able to access stuff? I didn't look at them, I pinged your .250 box see my post with output of that, it answered. So sure you should be able to remote desktop to anything.

You might have to set any host firewalls to allow access from your vpn network that 10.0.200.

Share this post


Link to post
Share on other sites
  • 0

Posted

Budman, am i being totally retarded where do i get the CA from to import into my software?

Share this post


Link to post
Share on other sites
  • 0

Posted

the ca can be exported via the export package, if you grab the archive it will have all the keys you need, and the ca - if you grab the inline it will be imbedded into the .opvn file Or you can download it from your Certificate manager on pfsense - but I would suggest you just grab it with the archive off the export package.

I would have to double check, but I believe the .p12 file in the archive is what your talking about.

edit: I am going to have to refresh my memory on need of the ca key, are you using it for the viscosity client? If you grab the viscisity bundle off the export, I just checked downloading that from mine and it includes ca.crt

edit2: Ok I just grabbed the inline off of mine, and yeah CA is there

<ca>
-----BEGIN CERTIFICATE-----
MIIEQTCCAymgAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJVUzER
MA8GA1UECBMISWxsaW5vaXMxEzARBgNVBAcTClNjaGF1bWJ1cmcxDTALBgNVBAoT
BGhvbWUxIDAeBgkqhkiG9w0BCQEWEWpvaG5wb3pAZ21haWwuY29tMRAwDgYDVQQD
<snipped>
7QG5X5kQj05axywyl61SO3RDYkphMT3NwKU3tn2irVEo3JrF7pTCgAn1MqdXk4Di
ilERPsVaWREzJRQEl2jFQify+ttvNg6BGhlJDtKu9IxkOanoBUI8VNRXFs7QxSYs
vI2JufYfxGbw7SSAw3r0r8DGjLbVbhaz9/98RcNOvz9yThPAuA==
-----END CERTIFICATE-----
</ca>

edit: Yeah just double checked that .p12 file has all the crts in it, the CA is in there. Which is why you don't see a ca.crt it defaults to using that - I think you can change that setting though.. let me look

edit: ok from quick look from the gui it doesn't look like you can change that setting for openvpn - but that .p12 file has the private key, the local cert and the ca cert in it.

Share this post


Link to post
Share on other sites
  • 0

Posted

YES!

I finally have it working, i have managed to remote into the network from my laptop, i have just attempted to remote into my weather station .250 which also worked.

Need to setup my shares and see if i can get them to work next, might need some help with firewall rules though if you would be so kind.

Share this post


Link to post
Share on other sites
  • 0

Posted

are you running host firewalls on your other devices? if so you would have to allow traffic on the ports you want from the 10.0.200 network. Also I have changed my pfsense lan rule to be any vs lan net. I was having issues doing something, which I don't recall exactly what now with vpn clients, and changing it to any for the lan interface rules fixed it.

[attachment=316161:lanrules.jpg]

See my note and how the lan source is * vs lan net, I don't recall exactly why now though. Something was not working, I would have to set it back to see what doesn't work to refresh my memory. But I do recall changing source for something I was trying to do - which now works, just don't recall what it was ;)

edit: as to shares working over the vpn, yeah work just fine - you might want to allow netbios on your openvpn config. And most likely have to auth, but see I am here at work, and I can access shares off my home workstation

[code]
D:\>net view \\i5-w7
System error 5 has occurred.

Access is denied.

D:\>net use \\i5-w7\ipc$ /u:i5-w7\budman
The password or user name is invalid for \\i5-w7\ipc$.

Enter the password for 'i5-w7\budman' to connect to 'i5-w7':
The command completed successfully.

D:\>net view \\i5-w7
Shared resources at \\i5-w7

Share name Type Used as Comment
-------------------------------------------------------------------------------
Deskjet6500 Print HP Deskjet 6500 Series
test Disk
The command completed successfully.

[/code]

Just had to auth - since my workstation is not using a budman account ;) with same password.

edit: Also what are the details of your weatherstation - I have been thinking of setting one up, curious what yours is and what you do with it, etc. etc..

Share this post


Link to post
Share on other sites
  • 0

Posted

Budman i have attached my firewall rules i cant see any proto IPV4 or IPV6 did you have to add these?

[attachment=316175:firewall.png]

Share this post


Link to post
Share on other sites
  • 0

Posted

Im running ipv6, those that breaks it up.. Se your rule above your block from source 192.168.33.252, that is your lan allow.

I don't see how that block is working though? because 192.168.33.252 falls into your lan net, and would be allowed access before it hits the block. If you want to block that IP from using the internet on tcp, then you need to put that above your lan net rule.

And you really have duplicate rules there, one with lan net as source (which is your 192.168.33.0/24) and then that last rule which is any any. And your rules for 45631 and 21 are also not needed since they would fall under that lan net rule. Unless they were coming from different network than your lan net?

Rules go down in order from top, first rule that hits is one that is applied - be it allowed or blocked. Notice in my lan rules the ones for .41 address - I allow it access only to the websense stuff, then I block its access for anything else! So if say .23 comes it, he goes past all those rules until he hits my allow rule.

Share this post


Link to post
Share on other sites
  • 0

Posted

What about this

[attachment=316177:firewall2.png]

Share this post


Link to post
Share on other sites
  • 0

Posted

Again, not sure why you have 2 rules there

Unless you have something with UDP going on, you let anything out TCP. Then next rule is anything *, so that would include tcp and udp coming from your lan net can go anywhere.

You really only need one rule, not now sure on the details - but like I said for something I was trying to do with vpn, I changed the default rule from lan net to *, which kind of like the rule you have above the lan net rule, only you change proto to TCP only - not sure why?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='BudMan' timestamp='1343911439' post='595053663']
Again, not sure why you have 2 rules there

Unless you have something with UDP going on, you let anything out TCP. Then next rule is anything *, so that would include tcp and udp coming from your lan net can go anywhere.[/quote]

I have removed this, see my updated post below.

[quote]You really only need one rule, not now sure on the details - but like I said for something I was trying to do with vpn, I changed the default rule from lan net to *, which kind of like the rule you have above the lan net rule, only you change proto to TCP only - not sure why?[/quote]

I know what had happened here, when i was reading your rules table i saw that it said IPV4* i got confused and thought that this was something that it wasn't, it wasn't until later that i found out you were running IPV6 that is why you got them options. I now notice that the IPV4 on my setup is just * as i am not running IPV6.

[attachment=316211:firewall.png]

Share this post


Link to post
Share on other sites
  • 0

Posted

So pretty much your wide open there outbound, if you want to block some of your machines - put them blocked above that rule

So is your openvpn doing everything you want it to do?

Share this post


Link to post
Share on other sites
  • 0

Posted

I have made some changes to the firewall to block some clients between certain times.

OpenVPN seems to be doing everything that i want for the time being, i am sure if i come accross something i will be back to ask :)

Thanks for your help.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.