NethServer Version: 7.9.2009
I am trying to describe my problem. But first I would like to point out our architecture: we use a fixed IP, PFsense as NAT (DNS runs at NETH), port forwarding to the NETH server with port 1194. The NETH server provides the VPN as OpenVPN RoadWarrior. I can connect immediately via VPN. However, I can only ping the DNS server. But no other destinations in the network.
We use the following IPs:
192.168.1.51 as DNS server (NETH)
192.168.1.80 runs as PFsense (network gateway)
192.168.2.0/24 for the VPN
→ 192.168.2.2 is the active IP for the remote PC
I can now send ping commands to 192.168.1.51 and 192.168.2.2, which are answered immediately. The name resolution for all PCs also works without any problems.
These are my roadwarrior settings:
As a new user it’s only allowed to upload one picture. Do you need more information?
What do I have to change to connect all my network addresses and access the file server?
Not to discourage you from exploring Nethserver or it’s software but why not use the built in VPN functionality of your Pfsense firewall?
Your Issue is easy enough: OpenVPN uses a so-called VPN-network. This is often in the 10.x.x.x range. In your case it’s the 192.168.2.x network, this is the “VPN Network”.
You can reach your NethServer on your LAN, but no other host.
Todays OpenVPN, and also other VPNs use routed networks, not bridging. (Bridging reduces the amount of IPs available, besides other issues like security - which is really LAN, which is WAN?).
Your connection attempt - or ping lands at another LAN host. This host tries to answer, but your default Router is your PFsense, and it does not know about the OpenVPN network 10.x.x.x, and routes this traffic back to the Internet, not to your NethServer, the correct VPN “Gateway”.
Your provider, as any Internet host, discards any internal IPs from 192.168.x.x, 17216.x.x-172.31.255.255, 10.x.x.x, as per the RFCs, the “rules” of TCP/IP.
→ No connection possible, due to wrong return path…
Your PFsense (I’m myself an OPNsense user) needs a route pointing to the LAN Interface of your NethServer for OpenVPN to work.
→ Problem solved!
As this IS an english based forum, please use the option in NethServer Cockpit (Top right, three dots) to switch the language to english for a screenshot, this way more people can help!
As you can see from my profile, I am myself a german speaker: Grüsse aus dem Bodenseebiet!
My 2 cents
thx for your answer. I think that will help me to solve my problem:
But to be honest, I don’t know exactly what to set. I know it has nothing to do with NETH, but maybe you have a concrete suggestion for me, since PFSense and OPNSense are similar.
Do you have an hint?
OPNsense has, compared to PFsense quite different menu-structures, even though OPNsense is a fork of PFsense, which itself is a fork of m0n0wall. The creator of m0n0wall suggests to use the OpenSource OPNsense. PFsense, although Open Source is all over their page, does not provide the complete source - the code will NOT compile! BLOBS included!
Here is a Screenshot of my Home OPNsense in English:
In OPNsense, Gateways are a separate entry, you would need to create an Entry for your NethServer as Gateway to the 192.168.2.0/24 Network first.
Then you can create the “Route”, as shown.
A route needs two Infos: The IP of the Gateway, reachable from your LAN (LAN-IP of your NethServer)
and the Network it is being routed to (Target Network): 192.168.2.0/24 (in your case).
A Subnet-Mask can be written as 255.255.255.0 - or, more modern, simply as /24.
Sometimes it just depends what the programmer wrote, one of both will work!
Hope this all helps.
My 2 cents
I think that all systems should have the default gateway set to the NethServer IP address.
… or have a proper routing table configured if otherwise.
However, this is not an issue due to NethServer/VPN.
You did read that here NethServer is only a server, not firewall, but doing OpenVPN. The Firewall is PFsense.
In your vision, all PCs would ONLY have Internet if a Squid Proxy is running on NethServer. And they are configured to use that Proxy…
My 2 cents