Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Connect to OpenVPN via two firewalls behind another
« previous
next »
Print
Pages: [
1
]
Author
Topic: Connect to OpenVPN via two firewalls behind another (Read 2491 times)
budspencer
Newbie
Posts: 2
Karma: 0
Connect to OpenVPN via two firewalls behind another
«
on:
November 01, 2021, 04:40:11 am »
I have a pfSense Firewall as a first line of defense with 3 NIC ports:
- P0: WAN
- P1: DMZ Switch
- P2: Crossover Cable to a second firewall F2. This is the only way this firewall should reach FW2. The two share a subnet solely for the link.
The second firewall is an OPNsense with very similar configuration:
- P0: WAN (actually disabled, only enabled as management fallback (dedicated host))
- P1: Crossover cable coming from FW1
- P2: Plugged to internal lan switch
My original idea was to filter all traffic coming from the internet through FW1:
- OpenVPN should be forwarded to FW2
- Everything else that is allowed should go to the DMZ
OpenVPN itself works when connected to FW2 via WAN. As mentioned, this is not what I intended. Instead I'm trying to connect the VPN client to the public IP of FW1. But in that case I'm getting SSl erors like:
Quote
Authenticate/Decrypt packet error: bad packet ID (may be a replay)(..)
I've tried a few things already, like enabling NAT reflection in pfSense. I have two questions here:
1) Is it actually doable? Is it possible to forward OpenVPN to an internal IP of a second FW2, without doing the SSL handshake at FW1?
2) From a security standpoint I preferred the idea of having a first line of defense. Though that was more like an idea. How relevant is it from a security standpoint? Is exposing VPN via the second FW2 considered to be equally safe?
3) What alternative would you suggest to this setup, where the internal network should have some "more than default" be secured? (I know that question sounds vague. I'm looking for opinions and ideas).
Logged
crissi
Full Member
Posts: 172
Karma: 4
Re: Connect to OpenVPN via two firewalls behind another
«
Reply #1 on:
November 27, 2021, 12:12:57 pm »
Hello,
i would also be interested in this topic. Did you get the configuration to work?
Thx!
Logged
Cheers,
Crissi
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Connect to OpenVPN via two firewalls behind another