Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsesne 2.7.0 OpenVPN Client connected, RDP Work OK BUT no internet access

    Scheduled Pinned Locked Moved OpenVPN
    34 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • UnoptanioU
      Unoptanio @Gertjan
      last edited by

      @Gertjan said in Pfsesne 2.7.0 OpenVPN Client connected, RDP Work OK BUT no internet access:

      s unbound also listens on 10.10.94.1, the OpenVPN server IP on the pfSense side.

      Why ? Now

      @Gertjan said in Pfsesne 2.7.0 OpenVPN Client connected, RDP Work OK BUT no internet access:

      Why ? Now you can use local URL/host names like server.XXXXpfSense.homa.arpa to join a RDP session on "server" on your LAN.
      8.8.8.8 and others don't know anything about your local devices ;)

      I finally found it. it's about DNS resolver at the bottom

      you need to add the hostnames in the override section of the DNS resolver.
      This way you can access RDP using hostname.domain

      Tried it works

      693bd1c3-830a-48b5-b0e4-ee94df4b58c7-image.png

      pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
      CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
      n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

      UnoptanioU 1 Reply Last reply Reply Quote 0
      • UnoptanioU
        Unoptanio @Unoptanio
        last edited by Unoptanio

        @Gertjan
        Good morning, excuse me , in the openvpn log section I find these IP addresses unknown to me that are trying something.

        Do I have to worry?
        What I can do?

        8f7ee4e1-fba5-4f99-9f3d-c63a2260ecc0-image.png

        pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
        CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
        n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @Unoptanio
          last edited by

          @Unoptanio said in Pfsesne 2.7.0 OpenVPN Client connected, RDP Work OK BUT no internet access:

          Do I have to worry?

          Noop.
          Example : you have a phone, and a SIM card. So you have a phone number.
          Is is a surprise that very body on earth can call you right now ? Of course not. That's the way it should work.
          ( although there are people that actually want to use world's public phone network but not want to be called by any one .... or drive on the public road, and not want to encounter other people with their cars - you understand what I mean )

          Before, they had this perfect WAN firewall rule set :

          b3daea7a-6178-4574-a35a-839b223942f9-image.png

          Yep, that is right : no rules !!
          The default firewall behaviour is : drop everything that comes in.
          And if you had this one not checked :

          bc5a1583-8999-4dbf-ac69-d9c1b1089a90-image.png

          then you aren't even aware that there are actually incoming connection all the time.
          Like something pressing on your doorbell, and even trying if the front door is open .... They try without stopping.

          Now that your pfSense has a process that is actually listening on the WAN interface, (port 1194, protocol UDP), you suddenly can see them .....
          Nothing changed. You just became aware of this aspect. It was always there already.

          So nothing to worry about. It's part of becoming more "aware". Just keep on doing this ^;)

          @Unoptanio said in Pfsesne 2.7.0 OpenVPN Client connected, RDP Work OK BUT no internet access:

          What I can do?

          Although I should not advising anybody to stop securing is infrastructure, I can tell you this :
          I do nothing.
          I have this rule :

          2c599434-7fed-4d59-9b19-c67b8d4f0fcf-image.png

          like you.
          And if some one manages to 'pass along' the OpenVPN (the process listing) then I kneel down and will say : "I'm honoured to meet you". OpenVPN-server as of today, hasn't been broken yet.
          When the entire planet went into a lock down and home working became the new thing, every company was implementing a OpenVPN access.
          And noop ..... OpenVPN wasn't broken ....

          So : again : let them have it.

          You can, of course, do something about it.

          Stupid, but valid example :

          You saw the Source (IP) is a start which means : all the IPv4, so from 0.0.0.0 to 255.255.255.255.
          You can change that.
          Put an alias in place !
          And set this alias to the IPv4 of your phone or device you use to connect to your OpenVPN server.

          Now only you - your device - can connect to your OpenVPN.
          And nobody else.

          You'll find out quickly that you can't control what IPv4 your device is using while running around in your country.
          So : note down the IPv4 - and call home, and have the alias used in the OpenVPN set to this IPv4.
          Now you can connect again, using any IP.
          And no one else.

          You'll say : hey, that's tedious ! Of course it is. So, automate it !
          Example use some dyndns client on your phone or PC. When it conects to the Internet, it will update your "your-device.dydns.org" so it point to your device.

          On the pfSense side of things, decalre an URL/IP as "your-device.dydns.org". pgSEne will no refresh the IP of this your-device.dydns.org every 5 minutes or so (check this !).

          So, your device gets an IPv4 - it will update it, and max 5 minutes later, the pfSense alias is 'resolved' and you can 'OpenVPN' into your pfSense as only that IP is now valid.

          Btw : I just invented this procedure, I never actually tested and used it.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          UnoptanioU 2 Replies Last reply Reply Quote 1
          • UnoptanioU
            Unoptanio @Gertjan
            last edited by Unoptanio

            @Gertjan

            OK thank you.
            I follow your reasoning.
            I agree with you.
            Your advice is very valuable.

            I already had the option enabled
            b72aa94b-1fbf-4a57-8c4a-d913640ae75a-image.png

            pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
            CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
            n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @Unoptanio
              last edited by

              @Unoptanio

              Hummm.
              From where in the GUI did you took this screen shot ?

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              UnoptanioU 1 Reply Last reply Reply Quote 0
              • UnoptanioU
                Unoptanio @Gertjan
                last edited by

                @Gertjan

                95473915-8cc1-4d47-9cb4-e72a0db7c0bd-image.png

                c69b52df-ff28-4967-9c71-bcc5d795b6c0-image.png

                pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
                CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
                n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

                1 Reply Last reply Reply Quote 0
                • UnoptanioU
                  Unoptanio @Gertjan
                  last edited by Unoptanio

                  @Gertjan

                  Where did you get this?
                  061255a4-a839-45d0-9b24-1dc6c7360994-image.png

                  pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
                  CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
                  n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

                  GertjanG UnoptanioU 2 Replies Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @Unoptanio
                    last edited by

                    @Unoptanio

                    There where you set the log option : Status > System Logs >Settings

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • UnoptanioU
                      Unoptanio @Unoptanio
                      last edited by

                      @Gertjan

                      Found.
                      You saw it here

                      c6925c99-5aed-4f63-93bf-d4a9f05f1a3a-image.png

                      pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
                      CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
                      n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

                      UnoptanioU 1 Reply Last reply Reply Quote 0
                      • UnoptanioU
                        Unoptanio @Unoptanio
                        last edited by

                        @Gertjan
                        but also in your firewall there are all these strangers ringing the bell?

                        3b6b29dd-9b05-40d4-9dc6-4f2a1aadc099-image.png

                        pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
                        CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5” SSD 1TB (ZFS) Raid1
                        n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.