Following this tutorial (https://youtu.be/7rQ-Tgt3L18), I was able to get a Remote Access VPN which works perfectly as it is in the tutorial in the sense that VPN Clients can communicate with Internal Lan Devices.
Now, what I am interested is to know if there is a way to set up a Remote Access with OpenVPN in pfsense which is capable of handling 2-way communication.
For example, I will take a scenario based on the topology which can be found on the beginning of the video.
Info
Debian: Server on the Internal LAN
Windows10: VPN Client
Internal LAN Network: 192.168.40.0/24
Tunnel Network: 192.168.70.0/24
Debian should be able to initiate traffic to your VPN Clients, in this case, all the clients with the IP addresses belonging to the tunnel network.
Is there a way that we could set up a Remote Access VPN that could pass all the traffic originating from our LAN to reach VPN Client’s tunnel network and vice versa without having to set up a Site to Ste VPN.
I am not sure I understand the question, but here is the answer i think you are looking for. once a client has connected to the remote access vpn anyone sitting on your local network can interact with them assuming you don’t have a firewall rule preventing it. so if the Debian server wanted to open a connection with the windows 10 machine for any reason it could initiate the session with no issues
Yes, that is exactly what I am trying to achieve. I didn’t implement any kind of rule in Pfsense firewall that would deny connections initiated by machines sitting in the local LAN.
I found this link: https://openvpn.net/vpn-server-resources/reach-openvpn-clients-directly-from-a-private-network/ that explains what I trying to do, but according to them I need to change from NAT to ROUTING.
" To enable two-way traffic using routing, go to VPN Settings , Should VPN clients have access to private subnets , and set the option to yes, using routing (advanced) instead. Leave the check mark in the Allow access from these private subnets to all VPN client IP addresses and subnets checkbox"
Do you know how we could implement this in pfsense ?
I guess im not sure what option you would need to set, communication to the clients works out of the box as far as i know, i connected my phone to the vpn and was able to ping its assigned vpn address from my desktop. here are my setting i have blurred some ip settings but you should have your own.
Sorry for the late reply, you were right that it should have worked out of the box if the LAN devices would have the IP address of the Pfsense as a GATEWAY
Because I configured the DHCP Server on a Cisco ASA, LAN devices were getting the ASA’s IP address as a gateway.
As soon as I changed the gateway everything was running as desired.
Thank you very much for your insight. I guess troubleshooting is the most important thing hahaha
