OpenVPN on another public ip address

jptferreira

I've been investing lots of time trying to find a way to have openvpn to listen to another public static ip besides the default.
I've a pack of 5 stactics. OpenVPN is working great but only when set for the default ip address. If I create an alias and create a clean openvpn instance by selecting the alias for the second static it accepts the setup and runs but won't connect. It looks like the wizeard is not adding all the rules... something is missing. Looking aroun d the web can't find much about this issue. Nothing very clear.
Any help would be very much appreciated. Must have it on another public ip because the default ip is scanned by a PCI compliance company for our bank... and it doesn't pass when it is on that ip address.
With other firewalls I've done that but I'm enjoying pfsense way more.
Thanks
JP

viragomann

@jptferreira said in OpenVPN on another public ip address:

It looks like the wizeard is not adding all the rules

So add the firewall rule manually.

I don't know if the alias creates a rule for a virtual IP or if it takes the default WAN. If it has created a rule with the wrong IP, edit it and set the correct destination IP.

jptferreira

@viragomann I tried without any luck. I've done this with fortigate (has built-in vpn support too) and sonicwall (same) firewalls but I'm not as familiar with pfsense. The manually created aliases work fine for other services that are enabled by the port forwarding rules... no problem there.
The problem is on how to be able to forward a rule to the internal openvpn. Tried many rules and no luck.... tried forwarding to the firewall internal ip, no luck... many other options... no luck. Reading many posts looks like there is no need for this type of solution from pfsense users... so I'm bummed!
Thanks

viragomann

@jptferreira
So will need some more infos.

manually created aliase

Which type of alias?

The problem is on how to be able to forward a rule to the internal openvpn.

An internal OpenVPN? Is it running on pfSense or behind?

jptferreira

@viragomann I'm using virtual ip addresses. I have a block of 5 statics that each is added as a Virtual Ip address under the firewall /Virtual Ips. Then I have Port forwards for each of of the services attached to each public ip. All working fine there. Have to use the 1:1 because of Voip requirements and some other services.
Besides this it is a very simple setup.
The VPN works great when the wizard is used and is set for the default public ip (not VIP because it is the default and not used for any other services).
If during the wizard I select another one of the public IP addresses I have it reaches the vpn server logs but won't connect. The same configuration but switching to the default ip works fine.
I hope this helps
Thanks

viragomann

@jptferreira
No. I was asking for the VIP type. pfSense offers four, I think. So which?

So the OpenVPN is running on pfSense itselft, no forwarding.

What is the OpenVPN configuration? What are your WAN rules?

jptferreira

@viragomann I apologize, I'm using IP aliases. for theVirtual IP addresses assigned to the wan interface.

Virtual IP Address
66.xx.xx.xx1/29 WAN IP Alias 66.xx.xx.xx1
66.xx.xx.xx2/29 WAN IP Alias 66.xx.xx.xx2
66.xx.xx.xx3/29 WAN IP Alias 66.xx.xx.xx3
66.xx.xx.xx4/29 WAN IP Alias 66.xx.xx.xx4
10.10.10.1/32 LAN IP Alias pfB DNSBL - DO NOT EDIT

The rule for the vpn is only one added by the wizard.
IPv4 UDP * * WAN address 1194(OpenVPN) * none OpenVPN pfSense OpenVPN Server Wizard

This one works fine because it isn't using any of the above VIPs.
The OpenVPN is running on pfsense. Having it running on another machine would be just a matter of performing a port forward and wouldn't be a problem but I'm trying to not have one machine running just for the vpn.
Thanks

viragomann

@jptferreira said in OpenVPN on another public ip address:

The rule for the vpn is only one added by the wizard.
IPv4 UDP * * WAN address 1194(OpenVPN) * none OpenVPN pfSense OpenVPN Server Wizard
This one works fine because it isn't using any of the above VIPs.

IP Aliases works as well for OpenVPN.

Since you might not need this rule from the wizard as you said, edit this rule and change the source IP to the desired virtual IP. Otherwise you can simply copy it by ticking this button
and change the destination.

Since you don't provide your OpenVPN settings I cannot give further hints.

A Former User

@jptferreira said in OpenVPN on another public ip address:

This one works fine because it isn't using any of the above VIPs.

publish your Wan side firewall rule

jptferreira

@silence on pfsense I still can't find an easy way to export settings besides taking screenshots... any hints on how to do it?
Thanks

A Former User

@jptferreira said in OpenVPN on another public ip address:

any hints on how to do it?

viragomann

@silence
Requesting the whole config seems quite dubious to me.

@jptferreira
There are many secrets inside this, you might not want to publish at all.

jptferreira

@viragomann thanks guys... I always remove anything that "shouldn't be there"
Really appreciate the quick replies!
JP

A Former User

@viragomann said in OpenVPN on another public ip address:

Requesting the whole config seems quite dubious to me.

It didn't ask him for his configuration, he asked for his wan-side firewall rules and I showed him how to make a backup since he asked.

@jptferreira said in OpenVPN on another public ip address:

@silence on pfsense I still can't find an easy way to export settings besides taking screenshots... any hints on how to do it?
Thanks

waiting firewall rules wan