openvpn client can ping LAN but cannot TCP connect
-
I followed this guide: https://www.wundertech.net/how-to-set-up-openvpn-on-pfsense/
I have two clients that can connect via a mobile hotspot. Prior to connection they can't ping 192.168.6.anything (LAN subnet) or 10.0.8.1 (the openVPN subnet). I then connect and they can ping both, so the VPN part is working nicely.
I cannot make any TCP connections from an openVPN client to a LAN client. I've enabled the firewall rules to allow this in the wizard and they are shown in the firewall rule listing.
When I test a TCP connection and then look at the firewall logs I see errors like this one:
Default deny rule IPv4 (1000000103) 192.168.6.5:8123 10.0.8.2:48124 TCP:FA
I've tried the "automatic fix" recommended here: https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html#automatic-fix it did not work
I've tried the manual fix on the allow all IPv4 rule on my LAN firewall interface where I allow all TCP states and "Sloppy", that didn't fix it.
I've tried having the openVPN be assigned the OPT2 interface, that didn't seem to resolve it. I did that like this https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html#interface-assignment-and-configuration
Strangely I don't see the client listed in the openVPN connections list even though they ping other LAN IP addresses well....
What am I missing here?
-
@bmbouter said in openvpn client can ping LAN but cannot TCP connect:
What am I missing here?
There are thousands of web sites out there talking about 'how to'.
I advise you to start with the one made by the authors of pfSense.
You can find them here : https://www.youtube.com/@NetgateOfficialYou'll find also the Configuring OpenVPN Remote Access in pfSense Software
which explains how to set up, from a default pfSEnse, a working VPN access in less then 5 minutes.Again : can't tell if the video you used is good, or no good (I won't test them all ^^)
When you activate a VPN server, you wind up having a system created "OpenVPN" interface :
Leave that one empty.
Create your own OPENVPN (pick any name), and assign the openvpn server to it :
and then add the rules that will work fine :
Note that I defined Gateways, that's normally not need - just create pass rules and you'll be fine.
Note that I used IPv4 and IPv6 as my OpenVPN server setup supports both, because ... why not.When I test my OpenVPN access, I can see that the states are changing == the rule is used.
Btw : what is you pfSense version ?
Do you know what openvpn server version you use ? Hint : as always, check the openvpn server the logs ^^
Now, check you openvpn client software : it is based on what version ?For example, it's ok to use the 2.5.x version on the pfSense side, and a 2.4 (ancient) client openvpn on the other, but then you have to go through all the details of the release differences - seen here : https://openvpn.net/community-downloads/
-
I finally got a chance to test this. I totally remove the setup I had before, and I followed the video you linked to (thanks) exactly. However, I get the same result only now my openVPN subnet is 192.168.80.0/24.
The vpn itself is working fine. Any device I want can connect and get a 192.168.80.0/24 address. Any 192.168.80.0/24 IP can ping a 192.168.6.0/24 and vice versa, so the connectivity is there.
I'm using pfsense 22.05-RELEASE, openvpn server is OpenVPN 2.6_git armv7-portbld-freebsd12.3 (what came with my pfsense). I've used several clients for example latest openvpn android, and OpenVPN 2.5.8 on linux.
-
When I try to http connect for example between 192.168.80.2 (the vpn client) and a 192.168.6.0/24 address, I see these messages show up in the firewall around that time with the port numbers of the 192.168.6.0/24 I'm trying to tcp connect to:
That is extremely strange because I have this in my LAN firewall:
Why is the traffic being dropped?
-
@bmbouter said in openvpn client can ping LAN but cannot TCP connect:
Why is the traffic being dropped?
The traffic dropped on the LAN interface is traffic initiated by a LAN device, on the LAN network.
edit : but wait, see below.Your LAN interface is 192.168.6.1/24, right ?
The firewall rule show a connection from a LAN (source) 192.168.6.5 device port 443 ( ? ) to 192.168.80.2 device, the device you use to connect to the OpenVPN server.
Normally, it's the other way around.
I use my phone or portable PC to connect to the pfSense OpenVPN server, so I can connect to the pfSEnse GUI or my NAS, or printers to do some maintenance task.
You have your device connect, and the you initiate a connection he other way around ?And yes, I confirm, your LAN firewall rules permit any outgoing traffic.
The blocked TCP:A means to me : the TCP ACK packet send back doesn't make it back and is blocked, like it its not part of the a current state, initiated from an openvpn connect client (which would explained the reverse source destination).The state-full firewall isn't state-full anymore ?
What rules do you have to the OpenVPN network ?
Remember : the OpenVPN is like a LAN interface : it should have (TCP and UDP) pass rules, or no devices connected to it can use the OpenVPN interface == OpenVPN access.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@gertjan There are several very strange aspects to this. Here is what I've observed.
The testing in this case is always initiated by the openVPN client. For example I would use an android device via LTE (openVPN connecting to the WAN IP) to receive the openvpn assigned IP of 192.168.80.2. Using an android network utility app, I can successfully ping various hosts on 192.168.6.0/24. I can also port scan 192.168.6.0/24 hosts and receive the expected results in every case. I can also run use telnet to TCP connect to an http webserver on 192.168.6.5 port 8123 and I receive response headers ... but I receive no body in the payload.....
When I use a web browser from 192.168.80.2 to connect to https://192.168.6.5 the page doesn't load and the firewall shows those dropped TCP:A packets. So the connection is initiated from the openVPN client, hence the destination port of 443.
Yes 192.168.6.1/24 is my LAN address.
My OpenVPN firewall rules were auto-created, but then I made it both IPv4 and IPv6 while troubleshooting it. Here's a screenshot.
It's like the statefulness of this firewall is totally screwed up. What's especially strange is I run pfsense on official netgate hardware, it's a SG-3100 MAX. I also only ever run the software provided by netgate.
I can see my client listed in the openVPN connections, see this screenshot.
Also I can see some stateful connections being created in the openVPN firewall...
-
One more thing, I can confirm all the same behavior on my laptop acting as the 192.168.80.2 openvpn client. It's connecting via the WAN through a hotspot LTE connection.
Here's a screen shot of some pings, ifconfig, ip route, and then the telnet demo
-
@gertjan said in openvpn client can ping LAN but cannot TCP connect:
The traffic dropped on the LAN interface is traffic initiated by a LAN device
no that is ack trafffic - looks like asymmetrical or the states were cleared on pfsense.
-
I think it's got to be some sort of asymmetric issue. What would I look at to investigate that?
I think it's not a pfsense firewall being cleared during testing because a) I'm not clearing it and I'm theonly admin and b) if I try the test a few hours later I get the same results. Just before retrying the test later I confirm the openVPN has no sessions on it. That being said maybe I should try clearing the sessions of both the LAN and WAN? I do have my clients when testing on my LAN just before disconnecting and joining the openVPN over the WAN.
