New OpenVPN server - route entire network

Advanced feature discussion, beta programs and unsupported "Labs" features.
13 posts Page 1 of 2
by bubba198 » Mon May 27, 2019 7:57 pm
Hi guys, has anyone figured how to route an entire network using the new OpenVPN server where the NAT xlate is against the open VPN rather than the delivery end-point public IP?

The obvious use case is to route an entire private network behind the OpenVPN? Preferably Cisco ASA examples? Anyone out there?

Thanks
~B
by forest » Wed Jun 12, 2019 10:22 am
I have done it with Ubiquiti routers. The openvpn client knows how to take over the default route, so the idea is to run it on your network's internet router and configure the appropriate NAT and firewall rules. For more specific help, you might have better luck on a Cisco forum.
by bubba198 » Mon Sep 16, 2019 12:31 pm
Ok forget ASA, how about pfSense? Anyone out there? A modest pfSense VM doesn't take much resources and pfSense itself is super flexible as a firewall so it must work with OVPN server at sonic?

Thakns
by forest » Mon Sep 16, 2019 3:20 pm
As long as your router of choice has the openvpn 2.4 client and the ability to configure NAT on any network interface, it should be possible to get it working with Sonic's server. (Older openvpn versions don't support the minimum TLS requirement that Sonic recently imposed, though.)

I would expect pfSense, OpenWRT, VyOS, and most other decent routers to be capable, but since I don't use any of them in the way you're describing, I can't tell you how to go about it. It's pretty likely that the same is true for everyone else who happens to be reading this forum. Again, I think you'll have better luck finding someone to guide you through the setup if you ask on a router-specific forum.
by js9erfan » Mon Sep 23, 2019 9:39 pm
bubba198 wrote:Ok forget ASA, how about pfSense? Anyone out there? A modest pfSense VM doesn't take much resources and pfSense itself is super flexible as a firewall so it must work with OVPN server at sonic?

Thakns
pfSense user here and yes, you can easily route your entire LAN (or just specific interfaces, vlans, clients, etc.) over Sonic's OVPN server.

Here are the general steps to do this within pfSense:
  • Import your Sonic VPN certs
    Configure the Sonic VPN client
    Create a VPN interface (e.g. SonicVPN)
    Create your LAN firewall rule routing all outbound traffic to the SonicVPN interface (set as the gateway)
    Create an outbound NAT mapping (interface = SonicVPN; source = your LAN; NAT address = SonicVPN address)
I'm currently running 2 VPN clients on pfSense - Sonic's and PIA. 75% of my network clients route to Sonic; 25% to PIA based on my current needs.... I might be an FTTN customer but that doesn't mean I trust AT&T.

Speaking of Sonic's VPN, there was a long thread in this forum with lots of good info but looks like it got deleted for some odd reason.
by platonium » Wed Dec 04, 2019 8:29 am
Has anyone tried the netgate pfsense appliance? In particular, the SG-1100. It would be great to hear from your thoughts. Thanks!
by js9erfan » Wed Dec 04, 2019 7:07 pm
platonium wrote:Has anyone tried the netgate pfsense appliance? In particular, the SG-1100. It would be great to hear from your thoughts. Thanks!
I can't speak to the SG-1100 since I built my own pfSense box but I can say that pfSense itself is highly configurable and more than enough for any home network. Hardware is important though and it really depends on your requirements and whether you plan to install resource-intensive packages, etc.

However, Netgate notes that the SG-1100's firewall is limited to 500 Mbps throughput so depending on the usage that may be an issue for some. That and I always prefer Intel NICs... Protectli might actually provide more bang for your buck if you don't want to build your own.
by platonium » Thu Dec 05, 2019 3:16 pm
Thanks, that looks very interesting. As I’m far out from sonic fiber to the home in my area, the throughput shouldn’t be an issue for the foreseeable future.

While I can follow along these conversations, my own technical chops are limited. Do you think the netgate would be easier to setup? Access to their support team seemed reassuring as well.

Thank you again!
by js9erfan » Thu Dec 05, 2019 8:23 pm
If you don't feel up to installing pfSense yourself then yes, stick with the SG-1100. And of course Netgate provides great support.

Preinstalled box or not you'll still have some configuring to do but there are so many videos and tutorials out there that an install and basic config is really not that difficult (see 6 min into this video for example). It can get a bit more tricky when setting up vlans, VPN routing, NAT, etc. but feel free to ask if you have questions.
by platonium » Fri Jan 03, 2020 9:36 pm
Happy New Year! While checking again on the cost vs speed of the entry level pfsense, I really see what you mean about under performance-I had mistakenly only been looking at firewall speeds.

Could I get your thoughts on using an Asus router with aes-ni instead like the AC86U to act as a vpn client instead? It seems like it might be cheaper and faster although not nearly as full featured as pfsense.
13 posts Page 1 of 2

Who is online

In total there are 24 users online :: 0 registered, 0 hidden and 24 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 24 guests