PfSense OpenVPN issues

[Sir Asvald]

This is really starting to PISS me off! Anyway I've configured my pfsense box to be an OpenVPN server. The issues I'm facing is that I cannot reach the LAN side of my network. I can ping my pfsense box but anything else I cannot do. LAN network of my pfsense box is 172.16.105.0 and the tunnel network is 192.168.100.0. I want to access my LAN network. 

 

Please help.  

 

 

[Ginz]

Add a route in your OpenVPN config

[Sir Asvald]

6 minutes ago, Ginz said:

Add a route in your OpenVPN config

I did... 

[Ginz]

Have you added firewall rules allowing traffic between your LAN and your OpenVPN interfaces?

[Sir Asvald]

Just now, Ginz said:

Have you added firewall rules allowing traffic between your LAN and your OpenVPN interfaces?

It was done automatically when I configured OpenVPN.. 

 

 

[Ginz]

Not sure then sorry , I run my OpenVPN server on linux

[Sir Asvald]

12 minutes ago, Ginz said:

Not sure then sorry , I run my OpenVPN server on linux

How did you configure yours? I get no default gateway IP address. 

 

[Falconevo]

Can you screenshot the rules on the OpenVPN firewall tab and your LAN tab, obviously omit any private information you may have on it.

[Sir Asvald]

5 minutes ago, Falconevo said:

Can you screenshot the rules on the OpenVPN firewall tab and your LAN tab, obviously omit any private information you may have on it.

 

 

[Falconevo]

I'm assuming you are routing this VPN to the Private subnet?  Can you output the rule set you have on this.

Also if you can provide information about the internal IP ranges on both sides of the tunnel and what you can and can't access when performing a ping between locations.

[Sir Asvald]

3 minutes ago, Falconevo said:

I'm assuming you are routing this VPN to the Private subnet?  Can you output the rule set you have on this.

Also if you can provide information about the internal IP ranges on both sides of the tunnel and what you can and can't access when performing a ping between locations.

I can ping the PfSense box but not the LAN IP. 

 

 

This is the IP rules I added:

 

 

 

 

[Falconevo]

Ok, can you clarify something for me,

The PfSense Internal subnet is 172.16.105.0/24, what is the IP subnet on the other side of the tunnel?  If the network on the other side of the tunnel is 192.168.100.0/24 then you need to change the IPv4 Tunnel Network to something different like 10.0.8.0/24 which is an alternate subnet for the communication between the virtual tap/tun interfaces on either side of the tunnel.

 

You shouldn't need that additional custom option, its not needed if it is setup correctly, what is the connecting device? Another pfSense box for Site-to-Site or some other router/firewall?

[Sir Asvald]

6 minutes ago, Falconevo said:

Ok, can you clarify something for me,

The PfSense Internal subnet is 172.16.105.0/24, what is the IP subnet on the other side of the tunnel?  If the network on the other side of the tunnel is 192.168.100.0/24 then you need to change the IPv4 Tunnel Network to something different like 10.0.8.0/24 which is an alternate subnet for the communication between the virtual tap/tun interfaces on either side of the tunnel.

 

You shouldn't need that additional custom option, its not needed if it is setup correctly, what is the connecting device? Another pfSense box for Site-to-Site or some other router/firewall?

This isn't site-to-site. The is OpenVPN.. I tried the default 10.0.8.0/24 and same thing is happening.. nothing works.  

 

My PfSense is the OpenVPN server. 

[Falconevo]

Ok, so you are providing client access rather than site-to-site, you will need to check your firewall rule set on the Private Subnet to allow the traffic from the IP subnet you are handing out to clients.

When you have a client device connected on VPN, what is the internal VPN IP address you receive from the pfSense OpenVPN?

 

I can't understand why you have a NAT rule present on the OpenVPN adapter as this is taken care of by the listener on the WAN port on UDP 1194, so you don't need the NAT forward it will only cause you problems. If you have the OpenVPN set on Interface WAN then you don't need that NAT but you do need a firewall rule to allow 1194 UDP on the WAN side to allow the listen port to be active (you can white list if you don't want it open to the public).

It should look something like this, you can replace the UDP rule for a 'Source' Whitelist if you want to secure it down and not have the VPN end point public.  Remove the NAT as it isn't required for the OpenVPN tunnel.

VPN Server listener

[Sir Asvald]

5 minutes ago, Falconevo said:

Ok, so you are providing client access rather than site-to-site, you will need to check your firewall rule set on the Private Subnet to allow the traffic from the IP subnet you are handing out to clients.

When you have a client device connected on VPN, what is the internal VPN IP address you receive from the pfSense OpenVPN?

 

I can't understand why you have a NAT rule present on the OpenVPN adapter as this is taken care of by the listener on the WAN port on UDP 1194, so you don't need the NAT forward it will only cause you problems. If you have the OpenVPN set on Interface WAN then you don't need that NAT but you do need a firewall rule to allow 1194 UDP on the WAN side to allow the listen port to be active (you can white list if you don't want it open to the public).

It should look something like this, you can replace the UDP rule for a 'Source' Whitelist if you want to secure it down and not have the VPN end point public.  Remove the NAT as it isn't required for the OpenVPN tunnel.

VPN Server listener

 

The IP address that the clients get is from 10.8.0.0 network/ 

[Falconevo]

Just now, Abdul201588 said:

The IP address that the clients get is from 10.8.0.0 network/ 

Remove the NAT from the OpenVPN and setup a rule on the Private Firewall Tab to allow traffic from the VPN network.  Depending on how secure you want it you may not want to use * * * on the firewall rule.

 

Source - OpenVPN Subnet - 10.0.8.0/24

Destination - Private Subnet - 172.16.105.0/24

Rule - what ever you want, maybe use */Any for testing purposes.

Reconnect VPN client and ping the internal IP of the private subnet on pfSense assuming 172.16.105.1?

[Sir Asvald]

3 minutes ago, Falconevo said:

Remove the NAT from the OpenVPN and setup a rule on the Private Firewall Tab to allow traffic from the VPN network.  Depending on how secure you want it you may not want to use * * * on the firewall rule.

 

Source - OpenVPN Subnet - 10.0.8.0/24

Destination - Private Subnet - 172.16.105.0/24

Rule - what ever you want, maybe use */Any for testing purposes.

Reconnect VPN client and ping the internal IP of the private subnet on pfSense assuming 172.16.105.1?

Now I can't connect to the VPN... 

[Falconevo]

23 minutes ago, Abdul201588 said:

Now I can't connect to the VPN... 

What interface do you have specified in the OpenVPN configuration?  Did you add the firewall rule on the WAN side like I mentioned earlier on?

 

Things you need;

Correct interface for OpenVPN config (WAN usually)

Rule on WAN interface to allow UDP 1194 (this replaces the rule you had auto generated from the NAT)
Rule on Private Subnet to allow traffic from OpenVPN subnet

Rule on OpenVPN subnet to allow traffic from Private Subnet

[Sir Asvald]

4 minutes ago, Falconevo said:

What interface do you have specified in the OpenVPN configuration?  Did you add the firewall rule on the WAN side like I mentioned earlier on?

 

Things you need;

Correct interface for OpenVPN config (WAN usually)

Rule on WAN interface to allow UDP 1194 (this replaces the rule you had auto generated from the NAT)
Rule on Private Subnet to allow traffic from OpenVPN subnet

Rule on OpenVPN subnet to allow traffic from Private Subnet

I gave up. I've got a raspberry Pi3 and I'm going to see if it would work. 

 

[Falconevo]

Just now, Abdul201588 said:

I gave up. I've got a raspberry Pi3 and I'm going to see if it would work. 

 

lol, it's not a difficult task.  It's a VPN service listener config, then 3 firewall rules.

[Sir Asvald]

2 minutes ago, Falconevo said:

lol, it's not a difficult task.  It's a VPN service listener config, then 3 firewall rules.

Meh. I'm having actually issues with it as well. 

[Falconevo]

3 minutes ago, Abdul201588 said:

Meh. I'm having actually issues with it as well. 

If you want to give me temp access via private message, I can take a look for you?

[Sir Asvald]

30 minutes ago, Falconevo said:

If you want to give me temp access via private message, I can take a look for you?

The problem is  the PC itself. It hangs randomly and I have restart it every time. I've tried the Pi3 and it works fine.