next »

[pat]

hi,
i have a problem configuring openvpn to secure my wlan. i have pfsense rc3 installed on a soekris 4801. i also installed a wlan pci mini adapter so the soekris is acting as an access point.
i want to secure the wlan using openvpn this time, because before switching to pfsense i secured it using ipsec and thought openvpn would save me some time. but my guess was wrong
i have 1 wan connection with a static ip, one lan (192.168.23.0/24), and the wlan (10.0.23.0/24) interface.
i have setup dhcp on the wlan interface. i also setup rules on the wlan interface to allow only the dhcp requests and the communication with the openvpn server.
what i want to do should be not that hard. i want that the wlan clients recieve an address via dhcp, and the must connect using openvpn. ALL the traffic should go through the tunnel.
dhcp works, and the connection to the openvpn server also. i am able to ping the pfsense box via the tunnel (but only the openvpn address), but thats it. i tried using push "redirect-gateway local def1", etc but that didn't change anything. i cannot reach any host in the wlan subnet nor any that is behind the wan interface, but i am able to ping hosts inside the lan. any ideas what i did wrong?
kind regards,
patrick

[hoba]

RC3 is no longer supported. Please reflash with 1.0-RELEASE.

[pat]

RC3 is no longer supported. Please reflash with 1.0-RELEASE.

oh i am sorry. must have forgotten the 1. this is the actual release i have installed:  1.0-RC3

[pat]

RC3 is no longer supported. Please reflash with 1.0-RELEASE.

oh i am sorry. must have forgotten the 1. this is the actual release i have installed:  1.0-RC3

sorry again. im reflashing right now.

[pat]

RC3 is no longer supported. Please reflash with 1.0-RELEASE.

Ok i did reflash it. But it didn't change anything except there are no rules for tun0 anymore in pf.

[hoba]

Did you follow http://forum.pfsense.org/index.php/topic,2228.msg14399.html#msg14399 ?

[pat]

yes i did.

[dairaen]

please show me "netstat -r" on a roadwarrior and a LAN server.

did you change the gateway of your LAN servers so that they use
pfsense?

[pat]

please show me "netstat -r" on a roadwarrior and a LAN server.

did you change the gateway of your LAN servers so that they use
pfsense?

ok, this is netstat on the pfsense box :
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            XXX.XX.XXX.XX     UGS         0     4524   sis1
10.0.23/24         link#4             UC          0        0   ath0
10.0.23.148        00:18:de:02:88:d3  UHLW        1       95   ath0   1191
10.0.23.151        00:07:ba:a3:78:52  UHLW        1     1605   ath0    296
10.0.24/24         10.0.24.2          UGS         0        0   tun0
10.0.24.2          10.0.24.1          UH          1        0   tun0
127.0.0.1          127.0.0.1          UH          0       46    lo0
XXX.XX.XXX/24      link#2             UC          0        0   sis1
192.168.23         link#1             UC          0        0   sis0
192.168.23.1       00:0d:87:18:89:fd  UHLW        1      180   sis0    616
192.168.23.146     00:16:d3:25:8a:f9  UHLW        1    13237   sis0    752


this is from the roadwarrior :
snitch[~]-> netstat -nr
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
10.0.24.1       10.0.24.5       255.255.255.255 UGH       0 0          0 tun0
10.0.24.5       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.0.23.0       0.0.0.0         255.255.255.0   U         0 0          0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         10.0.24.5       128.0.0.0       UG        0 0          0 tun0
128.0.0.0       10.0.24.5       128.0.0.0       UG        0 0          0 tun0
0.0.0.0         10.0.23.254     0.0.0.0         UG        0 0          0 eth1

[dairaen]

...but i am able to ping hosts inside the lan.

hmm... just that i get you right, you are able to ping the LAN servers
inside your "office" after you connected the tunnel? If thats the case
everything worked as supposed, there's no ovpn problem then i suppose.

i cannot reach any host in the wlan subnet nor any that is behind the wan interface

What do you mean, are there any servers behind your pfsense WAN that
you want to be able to reach as road warrior? Can you ping these hosts from
you LAN?

Please show your network setup from LAN to ISP and where these servers
are you want to reach if not inside your office LAN, at the moment i am unsure
what exactly your problem is.

[pat]

ok i will try to clarify the situation. sorry if that was a  bit messed up.

Code:

                         
           LAN           -------------            WAN
   -------------------  | pfsense box |  ----------------------
                         _____________
                         
                            |   |
                            |   |
                    WLAN    |   | (OpenVPN Tunnel)
                            |   |
                            |   |
                           
                        WLAN Client
                       

i want to secure my wlan not only by using wpa/wep, instead i want to use openvpn. the vpn tunnel should be established between the wlan client and the pfsense box. i assign addresses via dhcp on the lan and wlan interface. now the problem is that i want that all the traffic should go through the tunnel. if i establish the tunnel i can ping both endpoints and the lan address of the pf box and a host inside the lan. but i cannot reach the interface address of the wlan interface, and as a result of this i cannot resolve names for example. also i cannot ping hosts in the internet.

[dairaen]

hmm... i have no experience with wireless access points, but i think what you
are trying to do will not work with ovpn. You want to connect to pfsense
over your wireless connection and using ovpn, so you will be given
access to your LAN. If you want to reach the internet now, i think the
only way will be to "remote desktop" or ssh to an internal box in your
LAN and connect from there on.

But i am not sure with that, i have no wlan to test this, maybe someone
else can.

[tdickson]

If I'm understanding what you want....

On your WLAN... only create a rule to allow the OVPN connection.
Then you'll push DNS,WINS, and GATEWAY via OVPN
also add a push route to your LAN, if you want a connection there.