How to Allow RDP traffic across OpenVPN

Goal: Allow a user to connect to his desktop computer with RDP  ONLY after connecting vpn.

Environment:   OPNsense/Pfsense firewall
53,25,80,443 allow through firewall-
Currently can successfully rdp  with or without VPN with port forwarding - suspect traffic is hitting the fw on public int/public static  and not the desired private Ip a range allocated VPN connection.

User successfully connects to vpn, receives ip, but cant access local resources.
The client side vpn registers an IP address, the FW sees the connection- Just doesn't seem to allow traffic from vpn to local network

The IP range assigned to vpn  connections 10.  the local ip range is 192.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Olivier MARCHETTACitrix Support and Infrastructure EngineerCommented:
Just a basic questions, did you add the firewall rules in pfSense to allow the VPN traffic to reach the internal LAN interface / address range ?
seaweed27Author Commented:
Thank you for responding
I have followed every step in this tutorial(2x's), with the only exception being deviating from Ip ranges and setting public/wan block

So to best answer your question- yes i do believe i did,
but something isn't right and second guessing everything
Lee W, MVPTechnology and Business Process AdvisorCommented:
Can you ping the RDP server?  Make sure that's working first. Ping by IP.  Then by name.  Did you push DNS?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

seaweed27Author Commented:
@Lee - From the firewall/router  I can ping rdp server
From the vpn connection I cannot ping the rdp server, the gateway etc- it just shows connected on laptop vpn client and in the FW gui

Im not following your suggestions with regards to "pushing dns", but in this case I would use Ips, not freindly names.
Olivier MARCHETTACitrix Support and Infrastructure EngineerCommented:
Your attached screenshot is only showing the rule to open access to external vpn users on your firewall.

The article specify that you need another rule once your vpn client are connected to allow them on the LAN :

Do you have this rule ?
Blue Street TechLast KnightCommented:
Hi Seaweed27,

Something is definitely not right...
Currently can successfully rdp  with or without VPN with port forwarding - suspect traffic is hitting the fw on public int/public static  and not the desired private Ip a range allocated VPN connection.
With the desired setup you shouldn't be able to perform literally defeats the purpose of security nor can I see how you are able to use RDP (Remote Desktop Protocol) since you don't have port 3389 open unless you are running an actual RDS (Microsoft Remote Desktop Services) environment, in which case properly configured should run on 443 (not sure if this is what you are trying to say by "RDP Server" (which doesn't exist)). Do all these ports need to be opened: 53,25,80,443. 25, 53 and 80 should not be open - the design would appear to be flawed (security wise).

The IP range assigned to vpn  connections 10.  the local ip range is 192.
I need some clarity here. Are you saying your VPN DHCP IP Pool is handing out 10 IPs within your local 192.168.x.0 network or are you defining that the VPN DHCP Pool and your LAN DHCP Pool are in separate subnets, 10.x.x.x and 192.168.x.x respectively? If it is the latter have you defined inter-Zone Access Rules between the OpenVPN and the LAN as Olivier has suggested? Verify the Routes have been setup between the OpenVPN and the LAN. Have you cleared the possibility of IP conflicts with your LAN and VPN nodes?

If in fact you have an RDS environment, RDS over VPN is going to perform very sluggishly. RDS is already a secure environment (when configured correctly) and everything is encrypted - you can even setup 2FA. It is essentially like requiring users to login to a VPN and then to OWA. Is double encryption really a requirement? If so, understand it will be very slow for even word documents let alone pushing multi-media, virtual apps or full desktops.

Let me know!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
Glad I could help...thanks for the points!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.