Hi folks,
Im super new to PFsense and im having trouble understanding how to get this configured to allow my Hamachi VPN in and out of the firewall so i can RDP into various computers outside of my networks.
Does anyone have a similar setup and are able to post some screenshots of your settings, so that i can try to replicate? Screens of relevant settings on pfsense and hamachi would be helpful.
Would be greatly appreciated, thanks.
I would be careful about opening rdp there is currently a worm vulnerability for rdp depending what kind of setup/system you’re utilizing.
Source: https://nakedsecurity.sophos.com/2019/05/30/a-million-devices-are-vulnerable-to-bluekeep/
I’m not sure what Hamachi is even after looking at their site.
I just run an IPSec VPN on pfSense and connect to it. Then I RDP to whatever machine. Not sure what they are selling, but there is an easy, free solution already there.
Sorry I can’t help with Hamachi, but have you tried the similar and extremely good ZeroTier?
I run it on machines behind my pfSense, and machines in another country, and don’t have to change anything on pfSense for it to work.
Can you explain specifically what you’re trying to accomplish in the context of a traditional router / firewall - what do you have for rules and NAT already? Where does pfs fit in between you and the internet? I don’t know anything about your network and I have no idea what the fuck a hamachi is, some kind of fake VPN for video games?
Anyhow, some googling found “Hamachi connects to a central server on ports 12975 and 32976 using TCP. First port is used for a initial contact, second - for an actual session. It also uses dynamic local and remote UDP ports for communicating with other Hamachi peers.”
Assuming this is correct, assuming you are the only thing connected to LAN and your modem is the only thing connected to WAN, and assuming you have your Firewall Rules set for a completely open LAN and a completely closed WAN
(eg under Firewall > Rules you’re set IPv4 & IPv6 PASS any protocol on any port from any source to any destination on LAN, no rules at all defined on WAN)
What I would do is:
under Firewall > Aliases > IP, add an alias for whatever device is hosting your hamachi locally - as an example I’ll name it VESTMENTALCRAZE-PC and define its IP (ideally we would also know the IP or hostnames that the central server lives at and define an Alias for it/them as well)
under Firewall > Aliases > Ports, add an alias for those two static ports, 12975 and 32976 - as an example I’ll name this HAMACHITCP
(ideally we would also know at least a range for the dynamic UDP so we could Alias those as well)
Under Firewall > NAT > Port Forward, add a rule on WAN TCP with destination WAN address, destination port range HAMACHITCP, Redirect target IP of VESTMENTALCRAZE-PC with target port of HAMACHITCP (ideally you would have an alias for the server and define that in the Source field)
Under Firewall > NAT > Port Forward, add a rule on WAN UDP with destination WAN address, destination port range Any, Redirect target IP of VESTMENTALCRAZE-PC with target port of Any (you’re effectvely setting your computer as a DMZ for UDP traffic here which is dumb as shit, but my googlin’ didn’t return much info on your application so oh well)
Default options will add associated filter rules when defining your NAT, so under Firewall > Rules > WAN, you should have a rule to PASS IPV4+IPV6 TCP on ports HAMACHITCP with a destination VESTMENTALCRAZE-PC and to PASS IPV4+IPV6 UDP on any port to VESTMENTALCRAZE-PC
pretty sure that should work if i made a ton of correct assumptions…
Unfortunately, there’s exploits for everything and in anything. We cant let these prevent us from doing work and using our tools as they are intended. It’s a risk we take and accept, just like everytime we go out for a drive or cross the street.
I have no idea what IPSec VPN is…
I think i tried this once, but the interface was kind of cluncky and maybe it didnt work for me (at the time, i didnt have pfsense). I can give it a try again…but i already paid for Hamachi :-/
Thanks for this. I’ll give it a try
Carelessly exposing yourself isn’t an answer. Why not use ipsec or openvpn right thru the router? It’s built in and easy enough to use.
Not sure if you have read up on this. This worm is a massive threat… like the kind of threat that comes around after several years. Once the original system is infected, lateral movement is allowed.There are patches for it, so at the very least, make sure you are patched.
While I personally hate when reddit simply refutes an idea rather than supporting, it’s the right thing here. The right thing to do is to setup a vpn and send rdp over IPSec, etc.
That is some of the worst logic I’ve ever read.
Try OpenVPN. If you are outside your network and need to RDP into a machine inside your pfsense network then setting up an openVPN server is the easiest end-all solution. For RDP’ing into machines outside of pfsense I’d see about setting up a VPN on the other networks. RDP is something best kept closed to LAN and using VPNs is the best (secure) way to get into those LANs
Yeah I went through the same thing and gave up a year or so ago. But gave it another try recently and now love it. Rock-solid and runs as a background system service so never even need to “connect”. It’s actually pretty simple to set up once you understand their terminology.
Well you could have saved the money because pfsense can do vpn. Easy to setup.