OpenVPN Client for VLAN specific routes to Internet

viragomann

@scottlindner said in OpenVPN Client for VLAN specific routes to Internet:

VPNClient1

So you have an interface assigned to the OpenVPN client and named it "VPNClient1".
As you can see on the interface status page, there is also a gateway assigned to this interface. You can look at Status > gateways for its name, probably VPNClient1_VPN4.
This is the gateway that you have to state in the policy routing firewall rule.

So let us configure the policy routing.
In Firewall > Rules > VLAN241VPNClient01 you might have already a pass rule allowing anything at this time.
You can edit this rule or add a new one if you don't have any yet, open the advanced options, go down to "gateway" and select the VPN gateway (e.g. VPNClient1_VPN4) and save it.

Outbound NAT:
Add a new rule:
Interface: VPNClient1
protocol: any
source: VLAN241VPNClient01 net
destination: any
translation: interface address

That's basically all you need. However, this setup doesn't allow any internal access, because all matching traffic of the policy routing rule is directed to the VPN gateway.
But normally your internal devices (and as well that in VLAN241VPNClient01 subnet) are configured to use the pfSense interface address for DNS resolution. However, this would end up in DNS leaks anyway. So best practice is to forward DNS requests on the respective interface to a public DNS server (this goes across the VPN due to the policy routing rule.
Maybe your DNS provider provides a DNS server, but you can also use Googles DNS, e.g. 8.8.8.8.

So let us forward DNS requests to Google:
Firewall > NAT > Port forward
Add a new rule:
Interface: VLAN241VPNClient01
protocol: TCP/UDP
Destination: This Firewall
Dest. port: 53
Redirect target: Single host > 8.8.8.8
redirect port: 53

scottlindner

@viragomann said in OpenVPN Client for VLAN specific routes to Internet:

So you have an interface assigned to the OpenVPN client and named it "VPNClient1".
As you can see on the interface status page, there is also a gateway assigned to this interface. You can look at Status > gateways for its name, probably VPNClient1_VPN4.

I hadn't looked at the gateway status before. Thank you for that tip. Is this an issue or just indicative that I don't have the firewal rules setup correctly yet?

and the client status says things are good

I'm going to continue on assuming this just means I need to set up your next steps.

This is the gateway that you have to state in the policy routing firewall rule.

So let us configure the policy routing.
In Firewall > Rules > VLAN241VPNClient01 you might have already a pass rule allowing anything at this time.
You can edit this rule or add a new one if you don't have any yet, open the advanced options, go down to "gateway" and select the VPN gateway (e.g. VPNClient1_VPN4) and save it.

Outbound NAT:
Add a new rule:
Interface: VPNClient1
protocol: any
source: VLAN241VPNClient01 net
destination: any
translation: interface address

With both of those rules added, my phone connected to this WiFi SSID going through the VLAN241 will get internet access but the whatsmyip.com site says it is my local Colorado Springs IP address rather than Frankfurt Germany which this VPN Client is configured to use.

That's basically all you need. However, this setup doesn't allow any internal access, because all matching traffic of the policy routing rule is directed to the VPN gateway.
But normally your internal devices (and as well that in VLAN241VPNClient01 subnet) are configured to use the pfSense interface address for DNS resolution. However, this would end up in DNS leaks anyway. So best practice is to forward DNS requests on the respective interface to a public DNS server (this goes across the VPN due to the policy routing rule.
Maybe your DNS provider provides a DNS server, but you can also use Googles DNS, e.g. 8.8.8.8.

So let us forward DNS requests to Google:
Firewall > NAT > Port forward
Add a new rule:
Interface: VLAN241VPNClient01
protocol: TCP/UDP
Destination: This Firewall
Dest. port: 53
Redirect target: Single host > 8.8.8.8
redirect port: 53

viragomann

@scottlindner said in OpenVPN Client for VLAN specific routes to Internet:

I hadn't looked at the gateway status before. Thank you for that tip. Is this an issue or just indicative that I don't have the firewal rules setup correctly yet?

Presumably the server (monitoring IP) doesn't respond to ping.
Yes, it should be online, otherwise the rule is omitted with default settings.

Best to monitor any public IP, which is responding to ping requests. 8.8.8.8 is often used for this.
You can change it in the gateway settings. System > Routing > Gateways

scottlindner

@viragomann said in OpenVPN Client for VLAN specific routes to Internet:

@scottlindner said in OpenVPN Client for VLAN specific routes to Internet:

I hadn't looked at the gateway status before. Thank you for that tip. Is this an issue or just indicative that I don't have the firewal rules setup correctly yet?

Presumably the server (monitoring IP) doesn't respond to ping.
Yes, it should be online, otherwise the rule is omitted with default settings.

Best to monitor any public IP, which is responding to ping requests. 8.8.8.8 is often used for this.
You can change it in the gateway settings. System > Routing > Gateways

I wasn't aware of that setting but it makes a lot of sense to switch it like that. It didn't have any effect.

May 3 06:39:41	dpinger	79457	send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 174.51.212.1 bind_addr 174.51.213.108 identifier "WAN_DHCP "
May 3 06:39:41	dpinger	79840	send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 10.4.123.37 identifier "VPNClient1_VPNV4 "
May 3 06:39:43	dpinger	79840	VPNClient1_VPNV4 8.8.8.8: Alarm latency 0us stddev 0us loss 100%
May 3 06:41:01	dpinger	79840	exiting on signal 15
May 3 06:41:01	dpinger	79457	exiting on signal 15
May 3 06:41:01	dpinger	68264	send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 174.51.212.1 bind_addr 174.51.213.108 identifier "WAN_DHCP "
May 3 06:41:01	dpinger	68767	send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 10.4.123.34 identifier "VPNClient1_VPNV4 "
May 3 06:41:03	dpinger	68767	VPNClient1_VPNV4 8.8.8.8: Alarm latency 0us stddev 0us loss 100%

I'm going to poke around at potential ping issues connecting to this VPN service using my laptop and see if I can understand why this isn't working. My gut is I might have something off in the pfSense OVPN Client settings that is causing this, but I'll find out soon.

viragomann

@scottlindner
Possibly you're missing an outbound NAT rule for this.
Copy that one you've add recently (copy symbol on the right) and change the source to 127.0.0.0/8.

scottlindner

@viragomann said in OpenVPN Client for VLAN specific routes to Internet:

127.0.0.0/8

No change in VPN Gateway status.

viragomann

@scottlindner
Hmmm. Maybe there is something wrong with your VPN connection or traffic is blocked elsewhere.

Do you have any floating rules?

Reconnect the VPN client and post the OpenVPN log section from there, please.

scottlindner

@viragomann said in OpenVPN Client for VLAN specific routes to Internet:

@scottlindner
Hmmm. Maybe there is something wrong with your VPN connection or traffic is blocked elsewhere.

Do you have any floating rules?

I do but I don't see how they could cause this.

Reconnect the VPN client and post the OpenVPN log section from there, please.

Check this out. With those rules I setup this morning I tried connecting remotely from work over lunch to get you the screenshots you wanted and although I connected, I couldn't access anything like I usually can. And just now I tried restarting the client and it wouldn't connect. So I tried connecting from my laptop and it wouldn't connect. I disabled the rules we wrote just a bit ago and now everything connects fine.

scottlindner

@viragomann

What are my diagnostic options to figure out why traffic on the VPN VLAN isn't making it to the VPN Client gateway?

viragomann

@scottlindner
As I mentioned above, I'd suspect that there is something wrong with the VPN. So check the log for hints. Possibly set the log level to 3 or 4 before connecting.

Did you also try a reboot of pfSense? Outbound NAT changes sometimes work need that.

Try different monitoring IPs. Use public IPs that you know they're responding when pinging from WAN.

When you sniff the traffic (packet capture) on the VPN interface, you should see the ICMP packets to the monitoring IP going out there:
<VPN IP> > <monitoring IP> ICMP request.
Ideally you also see respond packets, but obviously there are none.

If that's the case, I would assume that there is an issue on the VPN providers side. Which one do you connect to?
Maybe he does not pass any traffic or do not nat it on his internet outbound interface.
You can also try to tear down the client and configure a new one.

scottlindner

@scottlindner

I found this in the logs "AEAD Decrypt error: cipher final failed". In searching online it is a handful of things. I turned up debut even further and I'm not seeing anything yet. It does seem to point to a client misconfiguration but the common themes I'm finding online are for NCP neeeding to be enabled and there is no option for that in the client. It is possible I'm missing a cipher suite but usually TLS errors show exactly what is missing when that happens. Gonna keep turning up the debug log pain.

scottlindner

@viragomann

I need to do more testing but I think I got it. It was a cipher suite issue but what confuses me is that the option I added to make it work conflicts with the ovpn client config I use from my laptop. In the Data Encryption Algorithms I have the following:

AES-256-CBC
AES-256-GCM

What got it working was adding this to the custom options in the pfSense OVPN Client:

cipher AES-256-GCM

The ovpn file provided by Ivacy that works on my laptop is:

client

dev tun
remote de2-ovpn-udp.dns2use.com 53
proto udp
nobind
persist-key
persist-tun
tls-auth Wdc.key 1
ca ca.crt
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
float
route-method exe
route-delay 2
auth-user-pass
auth-retry interact
explicit-exit-notify 2
ifconfig-nowarn
auth-nocache 

So I'm a little confused why this is what it took to get it working. This is now a VPN question and not a firewall/routing question.

I still have testing to do to make sure it all works as I want it to, but the first initial test is working.

Appreciate your help and patience. Might have follow up questions if other things end up not working right.

viragomann

@scottlindner said in OpenVPN Client for VLAN specific routes to Internet:

In the Data Encryption Algorithms I have the following:

AES-256-CBC
AES-256-GCM

What got it working was adding this to the custom options in the pfSense OVPN Client:

cipher AES-256-GCM

You got the proper settings from the VPN provider. I know, there is not an option to import the config, but for verification you can show the OpenVPN config in pfSense. It is stored in /var/etc/openvpn.

Obviously the server doesn't support NCP. So you have to disable "Data Encryption Negotiation" and select the proper cipher at "Fallback Data Encryption Algorithm".
Then it doesn't matter, what you have in "Data Encryption Algorithms".

Anyway, fine that you got it sorted now.

Edit:
"Data Encryption Negotiation" doesn't really need to be disabled, but the selection at "Fallback Data Encryption Algorithm" must match to the cipher which is used by the other side.

scottlindner

@viragomann

I will check into that tonight. Thank you!

Although I didn't get the proper config from the provider. The proper config didn't work. I had to use a different cipher suite than the provider config specified. It doesn't make sense, but I was able to manually set what works. I might check with Ivacy why that is.

I want multiple connections for switching convenience. I quickly tried setting that up and both clients are stuck in pending. I haven't done any searching yet but I'm guessing this isn't uncommon of an issue and am hoping it is trivial to resolve. Ivacy supports 5 concurrent connections. I only want two so this should work.

When I get the stuff sorted out that you just mentioned, I'll post back. Mostly so others struggling with this have at least a snapshot of what worked for someone at one point in time.

viragomann

@scottlindner
I see.

Ivacy supports 5 concurrent connections. I only want two so this should work.

Two on pfSense? Or one and another one on the laptop?

scottlindner

@viragomann said in OpenVPN Client for VLAN specific routes to Internet:

@scottlindner
I see.

Ivacy supports 5 concurrent connections. I only want two so this should work.

Two on pfSense? Or one and another one on the laptop?

Two on pfSense so I have WiFi SSIDs for each. Easy switching for client computers.

viragomann

@scottlindner
Multiple connections to a single VPN providers often fails, because the server gives you identical gateway IPs. Hence pfSense is not able to route to both.

So it depends on the provider if this will succeed.

scottlindner

@viragomann said in OpenVPN Client for VLAN specific routes to Internet:

@scottlindner
Multiple connections to a single VPN providers often fails, because the server gives you identical gateway IPs. Hence pfSense is not able to route to both.

So it depends on the provider if this will succeed.

I'm using different hosts so the IPs will be in different locations. The first one I'm using is on Frankfort Germany for NHL and the second is in Salt Lake City so my boys can do gaming together when the game doesn't support multiple consoles from the same IP.

viragomann

@scottlindner said in OpenVPN Client for VLAN specific routes to Internet:

I'm using different hosts so the IPs will be in different locations

You could run into conflicts anyway, since VPN providers often use the same configuration on their server, even in different locations.

But maybe yours doesn't and multiple connections are working well. I just wanted to depose a warning.

scottlindner

@viragomann said in OpenVPN Client for VLAN specific routes to Internet:

@scottlindner said in OpenVPN Client for VLAN specific routes to Internet:

I'm using different hosts so the IPs will be in different locations

You could run into conflicts anyway, since VPN providers often use the same configuration on their server, even in different locations.

But maybe yours doesn't and multiple connections are working well. I just wanted to depose a warning.

I confirmed with Ivacy that it usually will not work to have multiple connections from the same host and if it does work it likely will be unstable. It isn't a limitation from home network, but the host itself. So maybe I run a few more instances on an RPi with docker (a container per connection for host isolation) and roll that way.

Appreciate the help. This is all working well now. Thank you! And if I do end up using an RPi with docker for multiple connections I'll share how that works out.