Question PFSense VPN Client Router?

Oct 26, 2020
3
0
10
0
I am a Cloud Admin major at Full Sail University. PFSense is absolutely bonkers haha. In fact, we haven't gone over it yet at all. I hope in the future that we do, but as of right now. I am completely stumped. This UI is so complicated IMO.

I want to make it so that as long as an End Device has the VPN router set as the gateway it'll go through the encrypted VPN, and any other device that is set as the main gateway i.e. 192.168.1.1 will go through to my ISP without VPN encryption.

Let me start off with the basics of my network.

Arris Modem DOCSIS 4 Full Duplex > Unifi USG-3P > Unifi US-8-60W > Main Workstation Rig, Unifi AP Pro, and a Reolink security camera.

I use PrivateVPN:

This is different than an S2S because I use a VPN service as an IP mask and to get around Geo Restriction. I do not have access to PrivateVPN's Server settings.

My Workstation:

i7 8700k

16 gigs RAM

GTX980

Asus Strix z370-e (only one NIC)



At first, I started with Ubuntu Server VPN set up:

Hyper-V

Single NIC Host

Running Windows 10 Pro Host OS

vSwitch to NAT

Ubuntu Server:

Address: 192.168.1.14/24

Gateway: 192.168.1.1

DNS: 192.168.1.1

Installed OpenVPN

Connected to PrivateVPN tun0

added these rules:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

sudo iptables -A FORWARD -o tun0 -i eth0 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT

sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A POSTROUTING -t nat -j MASQUERADE

sudo iptables-save | sudo tee /etc/iptables.sav

And it worked for like a day, but something caused it to time out and even when I reverted to a checkpoint when it was working it didn't help. By working I mean: any end device set up to go through the VPN would connect, visit google, download files, etc. And when I went to check my IP it was through the VPN. Ran some DNS Leak tests etc. Worked great! By Broken I mean: 24 hours later, End Devices stop being able to ping google, and can't access the web. When I ping google on the VM I get temporary resolve errors. When I connect to the VPN after a restart, it can ping google, but the end devices still have no access to the internet through the VPN VM. This caused the Sys Admin in me to go like: "Okay, I can't have this be so unreliable. I need something that will work 24/7"

I have an Ubuntu media sharing server on the same subnet as my host rig as well as another Ubuntu Server VM running my UNIFI Controller all sharing one NIC those work flawlessly.



What I would like:

PFsense Access to VPN through WAN so: PFSENSE > VPN > WAN.

End Device Settings:

GATEWAY: PFSENSE IP ADDR

IP ADDR: STATIC IP/24 SAME SUBNET AS OTHER DEVICES

END DEVICE = Connected to VPN



End Device Settings:

GATEWAY: DEFAULT ROUTER ADDR

IP ADDR: DHCP IP/24 SAME SUBNET AS OTHER DEVICES

END DEVICE = Connected to Unencrypted web.



Is there any way I could accomplish this with PFsense that'll be more reliable than the literal 24 hours that Ubuntu server worked?

Any input is greatly appreciated. Thank you.






WAN and LAN settings



WAN: 192.168.1.14
LAN: 192.168.2.1

UNIFI NETWORK CONTROLLER SEES IT



both pfsense wan and lan


I still can't ping 192.168.2.1 No matter which gateway I use!

What am I missing?
 
Holy cow--you can get degrees for the stuff I already know?!? But no job for me because I have no paper degree. :rolleyes:

What you're trying to set up is known as a 'full tunnel' where all traffic goes through the vpn and not a 'split tunnel' which is how it is set up now. Usually your edge router would be setting this up so not sure how having it behind the ubiquiti stuff will interfere, and that may even be the issue. Search for 'pfsense vpn full tunnel' and that should lead you in the right direction.
 
Oct 26, 2020
3
0
10
0
Holy cow--you can get degrees for the stuff I already know?!? But no job for me because I have no paper degree. :rolleyes:

What you're trying to set up is known as a 'full tunnel' where all traffic goes through the vpn and not a 'split tunnel' which is how it is set up now. Usually your edge router would be setting this up so not sure how having it behind the ubiquiti stuff will interfere, and that may even be the issue. Search for 'pfsense vpn full tunnel' and that should lead you in the right direction.
I know a lot of stuff too, I'm only going to school for the degree.

I'm still lost. Full Tunnel VPN didn't really help because I still, for whatever reason can't get the router to accept any end devices on 192.168.2.1 and I still can't ping it.

https://privatevpn.com/support/getting-started/routers/pfsense/openvpn I'm following these instructions btw
 
Oct 26, 2020
3
0
10
0
You don't know as much as you think if you're still not understanding the concept of a full tunnel. Read up on that first and then try it, posting here if you need help with the implementation.
I understand the concept... It's PFsense's confusing AF ui that I don't get! xD
 
I don't think you're getting it because you still think there's a problem. Unless you make it a full tunnel, you won't be able to ping like you want.

And every single router out there can be confusing--that's the whole point. Different designers with different approaches to the same problem. Being able to learn another platform is part of the job. I can work on smb routers all day, and diving into watchguards took some time. Now I've got a fortigate that I'm trying to master. I'm sure a Palo Alto or Juniper will be just as foreign. And if you can't adapt to the continuous (and frankly ridiculous) rate of change, you won't make it.
 

failboat

Distinguished
I would recommend the tag/tagged setup. you can tag packets then set the tagged floating rule to make the gateway the vpn. make sure the gateway is configured as always up and no load balancing rules if you want traffic to always go to that gateway.

It looks like you configured the WAN interface of pfsense and the VPN inferface as the same ip. you will need to change one of them.

for the ubuntu server you need to do a few steps.

iptables- assuming policy is forwarding
  1. upon boot set FW to block fowarding, add rule to the rc.local file
  2. up VPN- remove the fowarding rule blocking it and masq
  3. down VPN - set rule to block forwarding
openvpn conf
make sure its using a file for creds
ping-exit so the vpn goes down and blocks forwarding (if you connect using a domain this is useful as the server needs internet access to connect but you may not want to forward while you're not on the vpn)

systemd
make sure your service will be brought back up
RestartSec=360s
Restart=always
 
Last edited:
Reactions: SamirD

ASK THE COMMUNITY