OPNsense Forum

English Forums => Virtual private networks => Topic started by: budspencer on November 01, 2021, 04:40:11 am

Title: Connect to OpenVPN via two firewalls behind another
Post by: budspencer on November 01, 2021, 04:40:11 am
I have a pfSense Firewall as a first line of defense with 3 NIC ports:
- P0: WAN
- P1: DMZ Switch
- P2: Crossover Cable to a second firewall F2. This is the only way this firewall should reach FW2. The two share a subnet solely for the link.

The second firewall is an OPNsense with very similar configuration:
- P0: WAN (actually disabled, only enabled as management fallback (dedicated host))
- P1: Crossover cable coming from FW1
- P2: Plugged to internal lan switch

My original idea was to filter all traffic coming from the internet through FW1:
- OpenVPN should be forwarded to FW2
- Everything else that is allowed should go to the DMZ

OpenVPN itself works when connected to FW2 via WAN. As mentioned, this is not what I intended. Instead I'm trying to connect the VPN client to the public IP of FW1. But in that case I'm getting SSl erors like:

Authenticate/Decrypt packet error: bad packet ID (may be a replay)(..)

I've tried a few things already, like enabling NAT reflection in pfSense. I have two questions here:

1) Is it actually doable? Is it possible to forward OpenVPN to an internal IP of a second FW2, without doing the SSL handshake at FW1?

2) From a security standpoint I preferred the idea of having a first line of defense. Though that was more like an idea. How relevant is it from a security standpoint? Is exposing VPN via the second FW2 considered to be equally safe?

3) What alternative would you suggest to this setup, where the internal network should have some "more than default" be secured? (I know that question sounds vague. I'm looking for opinions and ideas).
Title: Re: Connect to OpenVPN via two firewalls behind another
Post by: crissi on November 27, 2021, 12:12:57 pm
i would also be interested in this topic. Did you get the configuration to work?