VPN Passthrough

[thea1ien]

Good morning. I just recently setup OPNsense 20.1 as a router for my LAN. I have this running behind my existing router. I have managed to setup all of my Port Forwarding and so far everything appears to be working, except my VPN server. When I attempt to connect to it from the internet, it looks like it is receiving a response, but the connection fails. I know some routers have a VPN passthrough option, but I have been unable to find anything like this in OPNsense.

To help describe my network setup, I have a wireless router that connects to my internet. It has port forwarding and vpn passthrough set to direct to the opnsense router WAN adapter, which is on one subnet. I also setup port forwarding in opnsense to direct the vpn ports to my internal network server which provides the VPN server. My internal LAN network is on a different subnet.

I've tried searching for VPN, ipsec, l2tp and pptp pass through but have not found anything useful with regard to opnsense. Does anyone have any suggestions?

Thanks!

[Hopmeister]

Hi thea1ien,

I have openvpn passthrough and finally PPTP portforward working for my wife's work pc.

PPTP setup is as follows:
system > firmware > plugins - install this >> os-pptp (I rebooted after this)

Then go to to:
firewall > NAT > portforward

Then add this:

Interface = WAN
TCP/IP Version = TCP/UDP
Source =    (I put the actual IP of the server here)
Source port range = PPTP
Destination = This Firewall
Destination port range = PPTP
Redirect target IP = 192.168.1.1 (my wifi router)
Description = what ever you want to name the VPN
NAT reflection = Enable
Filter rule association = Rule it named itself

Then SAVE and apply your changes.

Then add this:

Interface = WAN
TCP/IP Version = IPv4
Protocol = GRE
Source = single host or network (I put the IP address of the PPTP server here)
Destination = This Firewall
Destination port range = PPTP
Redirect target IP = 192.168.1.1 (my wifi router)
Description = what ever you want to name the VPN
NAT reflection = Enable
Filter rule associaton = mine named itself

Then SAVE and apply your changes.

Then I rebooted.

On my OpenWRT router set up the port forwarding by going to:

networks > firewall > portforwards

Then edit accordingly:
Name = what you want to call your port forward rule
Protocol = I put TCP & UDP (I know it's not both but I've not changed it from testing yet)
Source zone = WAN
External port 1723
Destination zone = LAN
Internal IP address = ip of pc
Internal port = 1723

Save, apply. Then do the following (Thanks to WildCatRu on Openwrt forum) > https://forum.openwrt.org/t/solved-ar71xx-kernel-4-9-pptp-passthrough-not-working-tl-wr942n-v1/11162/15

Message 14/15:

I ssh'd into the wifi router and did this that way - the GUI wasn't working.

Install the packages
    opkg update
    opkg install kmod-nf-nathelper-extra

Add a line to the file /etc/sysctl.d/local.conf
    net.netfilter.nf_conntrack_helper = 1
    and reboot router

I'll do the Openvpn port forwards later on today.

Hope that helps.

I struggled for days on getting this working and it took the IT support team 2 weeks to actually tell me that it was PPTP and not L2TP so I could set up the correct portforwards.

regards,

Hopmeister

 

[Hopmeister]

I forgot to add I used nano to edit this file:

Add a line to the file /etc/sysctl.d/local.conf

    net.netfilter.nf_conntrack_helper = 1
    and reboot router

[Hopmeister]

Hi Again,

Openvpn this time. Go to to:

firewall > NAT > port forward

Then add this:

Interface = WAN
TCP/IP Version = IPv4
Protocol = UDP
Source =   leave as "advanced"
Destination = This Firewall
Destination port range = 41194
Redirect target IP = 192.168.1.1 (my wifi router)
Redirrect target port = other and 41194
Pool options = default
Description = openvpn to wifi router
NAT reflection = Enable
Filter rule association = Rule NAT openvpn (it named itself)

Then SAVE and apply your changes.

The NAT rules made themselves automagically,

Hope that helps,

Hopmeister

[Hopmeister]

1723/TCP for the protocol. Thanks to wikipedia https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocolbelow:

A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a GRE tunnel to the same peer.

[banym]

The port forwarding for any VPN should work the same for the correct ports and protocols.

Just my two cents:

* Don't use PPTP if you have alternatives. It is old and broken. You said your wife needs it because of here work. If you have control over what VPN you're using, never ever use PPTP anymore.

* If you have IPsec Tunnels behind NAT you will have to check your identifiers. They local identifiers can't be determent correctly behind a NAT router. Than you would have to set them manual to the correct value.

* Some cheep routers can't handle other protocols than TCP/UDP very well. This can lead to problems with ESP and GRE. Some routers only support one GRE or ESP session. That would leads to only one working VPN connection. If you have such a router, throw it where it belongs -> the bin.