PFSense OpenVPN IP masking

bluevs · April 30, 2020, 3:01pm

Hi

Is there any way in PFSense to mask the IP of someone connecting (in my case it’s me only anyway) and mask the ip as comming from a different range?

I have some device on the internal LAN with only accept communication from the same IP range. Means, when connecting to OpenVPN, I get into range 30.30.30.xx and the devices in question are on my internal IP range wich is 192.168.xx.xx.

Are there any rules or router I could set?

Greetings

neogrid · April 30, 2020, 3:09pm

Sounds like the 30.30.30.xx IP range is from your OpenVPN tunnel network, just change it to something on 192.168.xxx.xxx not already used, that might work.

bluevs · April 30, 2020, 3:24pm

Hi neogrid

That is correct, 30.xx is the VPN Tunnel Network and the prefered setup. Unfortunately the devices have to be on the exact same range. That means I would have to specify the same network for the vpn tunnel as the internal network.

Let’s say the device in question is on 192.168.1.10, then I would have to be on 192.168.1.x to make it work and specify 192.168.1.0/24 as tunnel network.

When specifing the same IP range as internal like you suggest it work, but i am not sure if there will be weird issues or behaviour in certain situations, since I will have IP duplication. For example I get 192.168.1.2 (since i’m the only one on the tunnel entwork) and that IP adress could already be taken.

My understanding of networking unfortunately is too limited to estimate the impact in certain situations.

neogrid · April 30, 2020, 3:29pm

You need to have rules to direct the traffic between the tunnel network and your lan. It works for me over vlans so I’ll assume it’s basically the same for physical lans. Just think of your OpenVPN server as being on another network, then go from there.

bluevs · May 6, 2020, 4:17pm

Didn’t find a solution for my specific problem, however the workaround ist to define the VPN tunnel network in the IP same range as the devices having this limitations are in. In the above example it would be 192.168.1.0/24. However you will get duplicated IP adresses, but somehow it works.

But I’m sure there could be some weird network problems or behaviours in certain situations. At least I know where to search first in case I would encounter any of those. Reserving some range in the local DHCP server could be a workaround for this.

As an addition to your answer:
The rules had been set and the IP ranges knew eachother, however my goal was to mask the origin of the VPN device to appear in the same network.

neogrid · May 6, 2020, 5:45pm

Well I can say that I have 192.168.230.0/24 defined as my tunnel network, it comes in to 192.168.20.0/24 for my ISP vLAN. This is only possible because I have a rule on OpenVPN Server that allows it to see the 192.168.20.0/24 network. Without that rule it would only see its own network, I suspect this is occurring in your situation.

Put it another way, if you can set up two vlans and they can see each other then you have the rules correct, mirror those on your OpenVPN server rules.