Jump to content
RESET Forums (homeservershow.com)

PFSense and OpenVPN problem


KiwiGlen
 Share

Recommended Posts

Hi,

 

I was wondering if anybody can help.  

 

I've been trying to setup a VPN using OpenVPN on my PFSense box and its not working.  I can connect to the VPN but after I connect I can't connect to any of the machines inside my network.  I can access the PFSense box using the internal IP address so the VPN seems to be working but I can't access any other machine on my network.  

 

I've been over the instructions for setting up OpenVPN several times and tried changing a few things but nothing seems to work.  I tried swapping the option from sending all traffic over the VPN to only sending the local network traffic and neither seems to make a difference.

 

Anybody got an ideas on what I could try?

 

Glen

Link to comment
Share on other sites

I use OpenVPN and pfSense. using it to connect to privateinternetaccess.com VPN from Iraq.

 

Usually the problem is incorrect NAT settings in the firewall. I suggest starting with this:

 

(http://www.komodosteve.com/archives/232)

 

Firewall Config

At this point the OpenVPN service is running but you aren’t using it. You may not even be able to access the Internet in this state. While there’s a lot you can do to tailor your firewall access, here’s a quick way to route all your outgoing traffic through your new VPN connection.

Go to Firewall and select NAT, then click the Outbound tab. Select any existing rules and delete them. Select the “Automatic” option at the top and click Save, then select “Manual” and click Save. You should see a new set of rules which you can activate by clicking Apply Changes.

There’s lots more that could be done to pfSense to tighten up your security but this is a starting point.

Link to comment
Share on other sites

Basically, you are creating a duplicate rule of your WAN firewall rule under the NAT settings, only instead of pointing the routes to your WAN interface, you end up pointing them to your OpenVPN interface.

 

Couple of points:

1) Make sure the OpenVPN rule in NAT is BEFORE the WAN rule. The firewall rules are applied in order, and the first rule that applies is used.

2) You have to enable (create) the VPN interface to allow a NAT rule to be created. (Probably should have mentioned that before the above post.)

 

Enable Interface

Go to Interfaces and select (assign). Click the add button. A new entry called OPTn should appear with “ovpnc1″ as the port. Click Save. Now you can enable your new interface. Go to Interfaces and select OPTn. Simply click Enable and Save. Note that you can rename the interface if you want to something like “VPN” but it’s not necessary.

Restart the OpenVPN service so everything is in sync. Go to Status and select Services, then click the restart button beside the OpenVPN service. Ensure that the OPTn gateway has an IP. Go to System: Routing and make sure the Gateway has an IP address.

Link to comment
Share on other sites

It's actually not that bad once you understand the concept. Basically you're creating a new network interface for the VPN so you can manage it, just as you would manage a network connection going across a physical NIC. Think of it like ESXi or Hyper-V where you have physical NICs, but you also have virtual NICs. You can have multiple virtual NICs assigned to one physical NIC, and through the hypervisor you're managing the throughput by virtual NIC. Now you're creating a virtual NIC for the virtual private network which is tunneled across the actual network on the actual NIC.

 

Since you've created a new virtual interface (NIC) and a new virtual network, you have to adjust the firewall rule for it as well.

 

The nice thing is you can even create routing tables for it. I.E. I can't get to the military's email (web access) from the VPN exit point, so I created a route for the /16 of DISA's webmail to bypass the VPN and use the standard WAN port. When I want to hit Netflix from Iraq, I add a route to have it take a different virtual interface to a different VPN exiting in the US. The hard part there is because Netflix is so large they have a huge amount of IPs under their control so the routing table there is fairly long - and it changes as they continually add new servers and new IP space.

Link to comment
Share on other sites

Sorry, didn't mean to confuse. I have actually set up VPNs before. I would explain to colleagues that it's a "network connection within a network connection"; at least, that's how I think of it.

 

But, the instructions you gave are very similar to the ones I gave........ wait for it, 20 years ago It seems a shame that it hasn't become a LOT simpler in that amount of time.

Link to comment
Share on other sites

Thanks timekills, I'll give that a go tonight when I get home.  Sort of makes sense, I was expecting that as the pfSense box was the end point of the VPN tunnel that I did need to set anything else up, but I had a feeling that the problem was some sort of routing issue that pfSense didn't know where to route my traffic.  

Link to comment
Share on other sites

Sorry, didn't mean to confuse. I have actually set up VPNs before. I would explain to colleagues that it's a "network connection within a network connection"; at least, that's how I think of it.

 

But, the instructions you gave are very similar to the ones I gave........ wait for it, 20 years ago It seems a shame that it hasn't become a LOT simpler in that amount of time.

 

No - I agree with you. The implementation of pfSense is actually less intuitive than using hardware (i.e. card in router or encryption device) because you don't interact with an actual *device*. So it's not clear where you have to set the routing rules and even less clear that the firewall settings would be separate for the VPN and the WAN port.

Link to comment
Share on other sites

OK I gave it a go and its still not working.

 

Below is a copy of the NAT screen in pfSense (I'm assuming that everything else is setup correctly).  I moved the entries that had any comment about VPN to be before the others. But still no joy.  One question I have (its starting to make sense to me I think) is shouldn't I have some NAT entries for the new VPN interface?

 

Any ideas?

 

 

NAT.png

Link to comment
Share on other sites

Yes - you have only the WAN interface listed which means pfSense isn't routing anything through the VPN interface. I set up a quick default pfSense machine with just my WAN, LAN, TEST,  and OpenVPN connnections (OpenVPN is labled "PIA" below) to show you. Note I didn't move the PIA interfaces up, and it still works...so my earlier comment about needing the OpenVPN interface listed first may not be correct if it is the default route. In my case I had multiple VPN access routes so I had to list them in preferential order.

 

Disregard the multiple IP routes (192.168.0.X and 10.10.10.X) as it because I have my TEST network routed through pfSense as well (the 10.10.10.X route.) Yours will likely show just the host (127.X) and your WAN (probably the 10.1.X although I'm not sure what your 10.0.X range is for.)

 

NAT_routes.jpg

 

 

 

Below are the interfaces listed from my normal setup. 

 

pfSense_interfaces.jpg

 

 

Did you do this part from my earlier post:

Enable Interface

"Go to Interfaces and select (assign). Click the add button. A new entry called OPTn should appear with “ovpnc1″ as the port. Click Save. Now you can enable your new interface. Go to Interfaces and select OPTn. Simply click Enable and Save. Note that you can rename the interface if you want to something like “VPN” but it’s not necessary.

Restart the OpenVPN service so everything is in sync. Go to Status and select Services, then click the restart button beside the OpenVPN service. Ensure that the OPTn gateway has an IP. Go to System: Routing and make sure the Gateway has an IP address."

 

I labeled my interface PIA.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...