Ssh – How to configure pfsense to allow vpn clients to appear as if they are coming from the PFSense WAN

openvpnpfsensessh

I have a specific host I need to get to via ssh (call it 'work').
I have a static IP at my client location (call it 'client') to enable access to this remote 'work' box.

The people at 'work' then created a firewall rule to allow my 'client', static IP into their network.

This of course means that if I travel, I can NOT get into my 'work' network as I will have a different IP than my static one at my client site.

I have enabled a PFSense 2.2.3 box with OpenVPN (at the client site)

How will I be able to make secure connections routed through my 'client' box (with the static IP) that will allow me to make my secure connection to my 'work' box? (So it will look as if I am coming from the client static IP)

Best Answer

Since you have static IP at 'client'... (which is also the IP of your PFSense I bet?)

Simply set up port forwarding (also called ip masquerading) on your PFSense. Just so you get from the static public socket (public ip and port) of your pfsense to the private socket (LAN ip and port) of the 'client' box.

That way you will be able to connect to 'client' while on the road. Once you can SSH into 'client', you will also be able to SSH into 'work'.

This will also directly work by chaining the connections like this:

ssh -t <client-ip> -p <port-if-not-22> -l <user> ssh <work-ip>

As well you could set up 'client' as a proxy (search man 5 ssh_config for ProxyCommand) in ~/.ssh/config. If the manpage does not suffice, google will.

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Here's what may be an issue. Imagine you have following network:

address pool: 10.1.1.0/255.255.255.0
router: 10.1.1.1
internal interface on internal vpn server: 10.1.1.2
some external machine that VPNs to network: 10.2.2.2
some internal client machine: 10.1.1.90

When you trying to access SIC from external VPN box, then traffic route goes like this:

10.2.2.2
vpn (internet)
10.1.1.2
10.1.1.90
OK

Seems fine, HOWEVER, in order for traffic to flow, the 10.1.1.90 machine should be able to respond and that means that packets from it must be routable to 10.2.2.2 too. Internal client has obviously ip: 10.1.1.90, mask: 255.255.255.0 and router: 10.1.1.90. Therefore, packets would be routed like this:

10.1.1.90
10.1.1.1 (sine it is router, and 10.2.2.2 is not directly addressable)
internet
NOT FOUND

Basically, reply packets will not even reach VPN. What can you do? Obviously, what will work is to add route to internal client to route all packets to 10.2.2.2 not to VPN box instead of router, such as (Windows box):

route add 10.2.2.0 mask 255.255.255.0 10.1.1.2

this will resolve the problem on single-machine level. Reply packets will go:

10.1.1.90
10.1.1.2 (explicit route)
vpn (internet)
10.2.2.2

To resolve issue on the network level, you must modify router in a same matter to redirect all traffic going to 10.2.2.0 to 10.1.1.2. This way reply packet will go:

10.1.1.90
10.1.1.1
10.1.1.2
vpn (internet)
10.2.2.2

Another solution is: make your VPN box to NAT on 10.1.1.2 interface. This way for internal machines it will look as if all the traffic originates from 10.1.1.2, and replies will go to 10.1.1.2. I would advise to go through routing though, since NAT will require additional resources on VPN box for connection tracker

OpenVPN – Fix Local Domain DNS Resolution on pfSense

VPN-connected clients don't register their hostnames. Would have to statically assign them via client overrides and manually add to DNS forwarder for them to resolve.

Best Answer

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

OpenVPN – Fix Local Domain DNS Resolution on pfSense

Related Topic