OpenVPN server *behind* pfSense firewall - cannot reach Internet
-
I infer pfSense is blocking it because this exact same setup (remote client and backend server on my home network) was working perfectly before the firewall change. Literally the only variable is the firewall. Same network, same subnets, etc. If the configuration problem exists on the client or server, it would have been a problem before, but it wasn't.
I am making a further inference that there is an additional default firewall or NAT rule that is in place that I'm just not recognizing. I can't access the VPN box or his client, so there aren't any OpenVPN settings I can change that would be of relevance.
Just to reiterate, this is not the OpenVPN component of pfSense, but a separate OpenVPN server hosted behind pfSense on my network.
I hope that clears up any possible confusion. I appreciate the input.
-
@soonerdave Well the openvpn box was not natting the tunnel network then pfsense would not allow that traffic, but you would see that in the default deny log..
-
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
I host an OpenVPN server box (in my private network), NOT the OpenVPN within pfSense) that a friend of mine connects to remotely.
Such a set up needs either
- a segregated transit network between the VPN box and pfSense
- a masquerading rule on the VPN box or
- a static route on any of your local devices, he should be able to access.
Did you configure either of these?
In your case, I think, masquerading on the box would be best / easiest solution, as there is obviously only one client connecting to the VPN.
For internet access over the VPN, you need also an outbound NAT rule on pfSense for the VPN tunnel network if you don't masquerade the traffic on the box.
-
@viragomann said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
I host an OpenVPN server box (in my private network), NOT the OpenVPN within pfSense) that a friend of mine connects to remotely.
Such a set up needs either
- a segregated transit network between the VPN box and pfSense
- a masquerading rule on the VPN box or
- a static route on any of your local devices, he should be able to access.
Did you configure either of these?
In your case, I think, masquerading on the box would be best / easiest solution, as there is obviously only one client connecting to the VPN.
For internet access over the VPN, you need also an outbound NAT rule on pfSense for the VPN tunnel network if you don't masquerade the traffic on the box.
The masquerading rule rings a bell as something I had to do in the last time I had to make some changes to this setup eons ago. Obviously this isnt something I do every day.
Let me try to retrieve some notes on this and see if that helps me track down what I've done wrong. Thanks.
-
I found the firewall script I had running on the old system where this setup was working (and had been for some time). It definitely has some custom masquerade rules, so I've just got to figure out the right way to covert them into PFsense.
Will advise.
-
@soonerdave
The masquerading should be done on the VPN box.
This means, it translates the source IP in packets, which are going into your network, into its local IP. -
@viragomann Right or wrong, that's not how it was done before. It was done in my firewall.
-
@soonerdave
I‘ve no idea, how you can solve this only on the router. I mentioned the options I know above.
But if you have it come back and let us know, please. -
@viragomann Oh, believe me, I feel totally stupid for not having done a more comprehensive job of documenting the previous, working firewall setup. I documented only the ports I forwarded, but not the masquerade rules. Totally dummy on me.
-
@viragomann SOLVED!! And props to you for nailing the problem.
My cohort who actually uses the box messaged me this morning and told me he had to fix the NAT on his box with the new IP it had been assigned. I have never set up an OpenVPN device for my own purposes, so I wasn't aware there was local NATting going on. I just made sure the firewall was opened up as needed, which is why I assumed I'd done something wrong on my side when I moved the setup to pfSense. Had I preserved his IP none of this would have happened. I've learned something new, and that's a good thing.
Problem completely solved and THANKS to everyone here who took the time to reply and help!!
-
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
told me he had to fix the NAT on his box with the new IP it had been assigned.
You wrote above, that nothing was changed in your notwork except the new firewall. If the box has a NAT masquerading rule, it will have an IP stated for this, since it might not have a variable for the interface IP like pfSense does.
You should have mentioned that you have created a new subnet. -
@viragomann I didn't create a new subnet. His box was assigned a new IP from the same subnet that was recreated in my new server setup. If I had maintained the same IP on the new server, I have a sneaking suspicion we'd have had no problem at all.
-
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
His box was assigned a new IP from the same subnet that was recreated in my new server setup
From DHCP?
If so you should set a static mapping for his MAC. -
@viragomann That was one of the first things I did when I rebuilt the network (static assignment). It wasnt DHCP, I just assigned it from a new block of addresses I'd reserved for a few devices. It just didn't remotely occur to me there would be dependencies on that IP within that client box. That just goes back to my lack of familiarity with the internals of the OpenVPN server box he is using. Hey, at least I learned something.....
