Problem configuration OpenVPN

Gertjan

@kilian77
Your WAN firewall rule (placed at the top - f you have more then one WAN rule) is logging ?
Do the counters go up ?

If : no logs and/or the counters stay the same : that means traffic isn't reaching pfSense.

You can also test with this :
The pfSense packet capture :

I've selected my WAN (ix3), protocol UDP, and port 1194.
I wanted '10' packets.
The result was shown in a couple of seconds, as I was the using OpenVPN server at that moment => I had to use OpenVPN to connect to my 'work' Livebox, as pfSense to do this test ;)

So : can you capture traffic ?
If not : check Livebox.

This is probably not needed, but I've set it :

as pfSense is my only Livebox LAN device, I asked Livebox to redirect all incoming traffic to the DMZ : pfSense3

kilian77

@Gertjan Hello

I see that when I capture.
The problem can come from the firewall of the ISP router

Gertjan

@kilian77

Well, all depends what you are the conditions of the capture.

But if you set up the conditions as I did : nothing reaches pfSense - so nothing to capture.
The OpenVPN server never receives any traffic.

Something to test your livebox NAT firewall skills :

First :
Can you access your pfSense from LAN using : http://192.168.10.22

( and for my won curiosity : why 192.168.10.22 ? 192.168.10.1 == ok - If you have to, 192.168.10.254 - but why 10.22 ?? Strange IP like that, that smell's troubles from x miles away )

if so : go lvebox, and NAT port 80 TCP to 192.168.10.22.

From now on, with your phone - phone NOT connected to Wifi ( !! ) you can access pSense GUI from 'the Internet'.

Do this for testing, don't leave this Livebox NAT rule in place.

I just did this test on my side :

First : Livebox : port 80 and 443 TCP :

Next : pfSense : idem :

I called my neighbor, and asked if they could try http://82.127.26.10x
He said there was a certificate error (that's normal, as my pfSense is redirecting port 80 to port 443) but when he clicked on "Go ahead anyway" he saw the pfSense GUI.

Btw : if any of the other devices connected to the Livebox uses uPNP, that I can image that NATting doesn't work, as destination ports are already used by other devices : solution : de-activate uPNP.

Double check that your WAN IP is not some kind of NATted IP (CGNAT) .... I think Orange doesn't do that .... but anyway : check.

And finally, for 'reasons' Orange can 'firewall' you from their side. Never saw them doing that myself ... but, hey, why not .... we see every day something new ;)

kilian77

@Gertjan So, yes I can access the interface with the address 192.168.10.22.
The address is 10.22 because I already have other devices that have IPs generated before 22, that's all.

the NAT test is inconclusive

johnpoz

@kilian77 if the wan router in front of psfsense is using 192.168.1 as its network, then pfsense wan would need an IP on the 192.168.1 network.

How exactly do you have things connected.. Your showing traffic hitting your wan coming from 192.168.10 addresses..

internet -- isp router -- 192.168.1 -- (wan) pfsense (lan) - 192.168.x

Yes your pfsense lan has to be a different network than the wan.. But the wan has to be in the 192.168.1 network if that is the network your isp device is using..

kilian77

@johnpoz
Hello, no my ISP router is also in 192.168.10.X

Gertjan

@kilian77 said in Problem configuration OpenVPN:

Hello, no my ISP router is also in 192.168.10.X

What do you mean by 'also' ?

Can you make a drawing with all the IP addresses / networks / Network names on every router side ?

johnpoz

@kilian77

So you changed it from the 192.168.1 it was using?

Yeah a drawing would be helpful your not plugging everything into a dumb switch - ie both wan and lan?

kilian77

@johnpoz my ISP router: 192.168.10.1
my pfsense WAN port: 192.168.10.22
my pfsesne LAN port: 192.168.1.1

Gertjan

@kilian77 said in Problem configuration OpenVPN:

@johnpoz my ISP router: 192.168.10.1
my pfsense WAN port: 192.168.10.22
my pfsesne LAN port: 192.168.1.1

Ok, that's fine.
As that is what I have.

My pfSense WAN IP (DHCP) is :

What about the other Livebox settings ?
You've set a DMZ ?
What is the firewall setting ?

I use :

This (uPNP) has been shut down :

as, as it says (translation) : this option can make your live hard ...

Nothing here :

As said earlier :

Because 'why not'. (pfSense is the only LAN device of my Livebox [except the Orange TV decoder ])

If with these settings you still won't fine a solution.

RESET the Livebox (and do not restore faulty settings back in !!).
You have to give manually the fti/xxxxxxxx and the connection ISP password
Make the connection work.
Then change the LAN network from 192.168.1.1/24 to 192.168.10.1/24
And make that work - test with pfSense.

Then : make the NAT OpenVPN rule UDP to pfSense, port 1194.
And test.

It is and should be as easy as that.
Remember : These Livoboxes are world's most stupid ISP routers on the planet.

It still does't work : throw it out of the windows.
Call 3901 (Orange Support).

And also : visit the neigbor : test at his place.
Or come pay me a visit, I'll show you.