Troubleshooting OpenVPN?

viragomann

@jims
If the network settings are correct, maybe the device doesn't accept the access from outside of its subnet due to its own firewall.

You can investigate this with the ping tool in the Diagnostic menu in pfSense.
Ping the concerned device with default source, then change the source to the OpenVPN client for instance. This has a source IP outside of the LAN.

JimS

@viragomann When I try ping in the diagnostic tools it fails to both PCs. When I do it through the VPN from the phone it works for 1 PC. The IP is one different in the last number - i.e.
x.x.1.17 from through vpn
x.x.1.18 from pfsense
though I don't think that should make a difference.
I tried restarting the non-working pc thinking maybe the network settings got corrupted somehow from a pfsense restart but it hasn't changed things.

JimS

@viragomann This seems to have started when I changed some settings in pfsense although I am not sure they are related. VPN would stop working when I had a WAN network outage (which is also the link for VPN). Restarting pfsense would restore operation.

Under System>Advanced>Miscellaneous I set State Killing on Gateway Failure to "Kill states for all gateways that are down" and checked "Do not create rules when gateway is down". After this the VPN link didn't die but I had the problem of not being able to access all the devices on the local network.

viragomann

@jims
Do you have any custom outbound NAT rules?

JimS

@viragomann Pretty sure I don't and haven't done anything like that. But I don't have access at the moment to check. Where would I check that?

viragomann

@jims
Firewall > NAT > Outbound
By default it's set in automatic mode and does no natting on LAN interface.

But as a suspect, your LAN device is blocking the access, you could also circumvent this with a NAT rule. But that would be a hack in fact.

JimS

@viragomann I was under the impression the VPN connection appeared like the device was on the local network but it seems that isn't true. The from IP in the packet is outside the network. What's strange is that this was working until recently and I haven't changed the setup on those devices that aren't connecting.

Can I make the VPN connection appear as a local IP? Is this a good and reasonable solution?

If not, how should I address this on the individual devices? It would be nice if I didn't have to adjust every one.

viragomann

@jims said in Troubleshooting OpenVPN?:

Can I make the VPN connection appear as a local IP? Is this a good and reasonable solution?

This is not a good idea at all. It would need to run the OpenVPN client in tap mode, wich is not recommended and strictly not recommended as a solution to circumvent the devices firewall rules.

The suggested solution is to configure the device accordingly to allow access from the VPN tunnel pool, as already mentioned.

But if the VPN is for your own purposes you may circumvent this behavior also by natting the traffic to the pfSense LAN IP.

To do so go to the outbound NAT settings and activate the hybrid mode.
Then add a rule with this settings:
interface: LAN
source: <OpenVPN tunnel network>
destination: any
translation: interface address

JimS

@viragomann Just guessing but the reason the one device allows traffic may be it is a very old version of Ubuntu and so has less restrictive firewall rules. Just a guess.
To make this work in a more recommended way how would I go about configuring the individual devices? The main one I have been wanting to use runs Ubuntu 18.04 IIRC. Also have a raspberry pi that I want to access.

viragomann

@jims
I'm not familiar with your devices firewalls and this is not the proper place to get support for it.

But as mentioned above, if you're the only user in the VPN you can circumvent the blocking with a NAT rule on pfSense.
The only one drawback of this is that the LAN devices would only see the pfSense LAN IP as source when they are accessed from a VPN client.

JimS

@viragomann I am the only user. Just don't want to make a security hole but from what you say that may not be the issue. I will do some more investigation on how I might do address it on the devices and figure out which way I want to go. Thank you so much for your help!

JimS

@viragomann It looks like it will be easy to add the VPN tunnel IP to be allowed by the device firewall. Is this a security issue? Will pfsense block that address on the WAN from accessing the LAN?

viragomann

@jims
The traffic doesn't go through the WAN interface in a logical way. It is tunneled and come in on the OpenVPN interface in pfSense.
Also the traffic cannot pass through a LAN device by default. This would require special settings on the device. Since I assume, you control this device, you can be sure that they are not done.

The whole security depends on the VPN authentication, regardless how you realize the access to the LAN devices. The server is under your control, you say, so use strong password and client certificates and you're safe.
On pfSense you can additionally configure, what the clients are allowed to access.