OpenVPN client will not connect outside local network

LPD7 · Apr 24, 2023, 3:40 PM

@viragomann
Will need to attempt connection again and capture logs. Will post when I am able to gather them. Thanks.

jaspery · Apr 24, 2023, 4:33 PM

I had similar problem like month ago, I was out from home and could not connect to Open VPN on pfsense from cellular , however before that everything worked fine.

When I returned home, I spent 2-3 evenings "debugging" everything, reading logs etc.

Eventually I came across an article about custom MTU setting for OpenVPN. Obviously I didn't want to mess with low-level settings. But eventually I decided to try. I experimentally picked lower mtu value and entered it in pfsdrver custom configuration parameters. And everything was back to normal after that. Just for the record, everything in the logs was good, firewall allowed the connection, but client could not establish connection to the server at all.

Unfortunately last week I had to reconfigure everything from scratch at home and lost my previous configuration so I cannot recall now how exactly I configured that.

I just saved that article for future reference: https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/

it just seems to me that I had to go even lower than 1450, around 1300-1350 or so for MTU size.

LPD7 · Apr 30, 2023, 3:36 PM

Sorry for the delay in getting back but have news. I setup the client to continue trying to connect without timing out so I could watch the logs and see what was happening. I would see my mobile device with an IP assigned by the cell provider trying to access the server but kept getting blocked. I added the instance to the firewall rules to allow the traffic to pass and viola it still didnt work. After having stared at the logs and such until I was dizzy I decided to give it a rest and go bang my head against a brick wall. During this moment of contemplation we experienced a brief power outage at which time the server rebooted. A day or so later I was sitting in a parking lot drinking my tea and figured why not give the connection another try to see if a bolt of inspiration would come down and strike some sense into me and wouldnt you know it the connection worked. Now I didnt do anything other than add the aforementioned rule to the firewall which didnt work at the time but has since now shown itself to have been effective at resolving the issue and can only conclude that the system reboot made the difference. Was it a coincidence, was it fate or was it something else? Happy to hear your thoughts.

LPD7 · Apr 30, 2023, 3:38 PM

@jaspery Thank you for the feedback. I will retain this info as I am sure that I will run into another obstacle in my quest for the ideal vpn setup. Do you have any other lessons learned or advice from your journey you can share?

LPD7 · Apr 30, 2023, 3:51 PM

PS...Other than in the firewall and OpenVPN status logs I see no other indication that someone is connected. When I open status>system logs>openvpn I see no client connections is this status for clients accessing my server or my pfs instance of openvpn connecting to a vpn server? Also under vpn>openvpn>clients I see no openvpn clients either. Thanks.

jaspery · Apr 30, 2023, 4:32 PM

@lpd7 I've been using OpenVPN on pfsense for connecting to my home network for quite some time already (like 8-10 years), I've reinstalled it handful of times and it always worked normally after I followed standard pfsense's guide. An incident few weeks ago was a first time I had to go into advanced settings to play with MTU, that is why it took me couple of days to debug an issue. And in official guide, MTU thing is mentioned in a vague manner, so it is really hard to understand if I run into this exact issue or not, and how exactly to fix it. Other that that I don't really have any specific tips, since it's always worked for me from the box.

LPD7 · Apr 30, 2023, 5:35 PM

@jaspery What resource do you rely on for setting this up? I never went through the process of setting up a client as the video I used didnt go that route, it only had me setup a CA and a user cert with the credentials I use to log in which may be why nothing shows up under the vpn/openvpn/clients window when I am logged in. There is so much to configure (must have and nice to have) that its hard to visualize the "process flow" which is what I usually leverage when troubleshooting. Seems there are many ways to set it up and few resources that address the nuances for each. I am happy its currently working but I know its only a matter of time before something sends me back to square 1. Also I cant access everything on my network and am now trying to figure that one out.

jaspery · May 3, 2023, 2:54 PM

@lpd7 Well, just last week I set up it from scratch at home. I have fairly standard network with 1 WAN and multi LAN. I just followed instructions here: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html

Made adjustment to reflect my network IP addresses and that was basically it, didn't do any crazy adjustments. Authentication: local user access ( since I only need 1-2 users).

And as described at the very end of the article Added User with the certificate and used OpenVPN Client Export Package to export profile for an iPhone.

and forget to mention, I ran again into MTU issue so I applied a fix for it.

LPD7 · May 3, 2023, 2:54 PM

@jaspery Do you see the client connection in any of the status windows within pfs? I am wondering why I dont see my client device anywhere in vpn/openvpn/clients or status/openvpn. The only place I see any indication I am connected is in status/system logs/openvpn and am trying to find out if this is normal. Have been digging through Netgate docs but havent seem to get the answer I think I am looking for. If I open this up to others here to use the vpn it would be nice to have a quick way to see who is connected.

viragomann · May 3, 2023, 4:19 PM

@lpd7 said in OpenVPN client will not connect outside local network:

vpn/openvpn/clients

This page is for setting up OpenVPN clients. It doesn't show connected clients.

But you should see each connected device in Status > OpenVPN.
What does this page show?

LPD7 · May 4, 2023, 12:07 PM

@viragomann Thanks for that info. I guess one part of my question is since I have a user account why isnt it listed in vpn/openvpn/clients? I am assuming "client" is a configured user who can access my server.

As for status I am currently connected via my phone (cell data) and there is nothing listed in status/openvpn.

Appreciate your feedback.

viragomann · May 4, 2023, 12:53 PM

@lpd7 said in OpenVPN client will not connect outside local network:

I guess one part of my question is since I have a user account why isnt it listed in vpn/openvpn/clients? I am assuming "client" is a configured user who can access my server.

I should be more clear. pfSense can act as an OpenVPN client as well. And this page is for setting up a client to connect to another OpenVPN server.

As for status I am currently connected via my phone (cell data) and there is nothing listed in status/openvpn.

What do you see on the status page?
There should be a section for your server. Check if it's the correct name you've stated as description in the server settings, and it status should show a green check:

LPD7 · May 10, 2023, 12:07 PM

@viragomann I have a client currently connected and nothing shows up in the status window. This seems pretty simple cant understand why there is no records of clients.

LPD7 · May 22, 2023, 3:55 PM

So can anyone provide suggestions as to why when I am connected to my PFS box via open vpn client that I do not see the connection listed in the status>openVPN screen?