OpenVPN client and incoming traffic
-
Hello,
I have an OpenVPN client session established from the firewall and I have created and assigned a PFSense interface to the ovpncX interface. Outbound traffic is working fine but i appear to be struggling to receive any incoming sessions. I spoke with the provider and they said that they don't block any incoming ports so all data will be passed through.
I doing a simple telnet x.x.x.x 1234 from a remote machine to the public ip being given to me by the VPN provider but i'm not seeing a drop in filter.log. If I replace x.x.x.x with the public ip address from my ISP then I see the drop in filter.log (just to prove the remote machine is ok).
Do I need to do something else in PFSense to have it process incoming traffic on an OpenVPN interface?
Under the interface screen I have IPv4/IPv6 configuration type set to none and nothing else is set on that interface. Under Interface Status I see the ip correctly being provided to me by the VPN provider.
Thoughts?
-
So to understand your setup properly, you are trying to connect pfSense as client to an OpenVPN server at a VPN provider?
What have you done with pfSense rules and outbound NAT? What are you trying to connect? Are you trying to make the VPN essentially your WAN and have ALL traffic go over VPN –or only some traffic --or only a single subnet --or only a single machine...?
-
"So to understand your setup properly, you are trying to connect pfSense as client to an OpenVPN server at a VPN provider? "
Yes - that is correct
"What have you done with pfSense rules and outbound NAT? What are you trying to connect? Are you trying to make the VPN essentially your WAN and have ALL traffic go over VPN –or only some traffic --or only a single subnet --or only a single machine...?"
I have NAT set to Hybrid and I have added a rule that NAT's everything from my internal segment and hides it behind the interface address of the OpenVPN VPN interface. In my outbound pfsense rules (from the Internal interface) I just apply the VPN's gateway on the rules that I want to forward traffic out the VPN. All of this works great.
My problem is with unsolicited inbound traffic. When I connect to the VPN provider I am given a public IP (a public IP which they tell me is not shared or firewalled). I would expect (and they have told me) that I should be able to connect to this public ip remotely. I've tried doing a NAT port forward, and i've tried just allowing traffic to drop and looking in the filter log. In both cases the traffic never seems to be processed at PFsense. I haven't tried a packet capture on the ovpnX interface yet to see there so I guess that is next.
-
You will want to be sure that the inbound traffic is not matched by the rules on the OpenVPN tab (internally this is just an interface group) and is matched by rules on the OpenVPN assigned interface tab.
If the traffic is matched by the rules on the OpenVPN tab it will not get tagged with reply-to and replies will follow the routing table (likely sent out the default gateway) instead of being directed back out the appropriate OpenVPN client instance. I generally just disable/delete all the rules on the OpenVPN tab when I use assigned interfaces.
When connecting to a public OpenVPN provider, the OpenVPN interface rules should be treated like a WAN. Pass only what you want to come into your firewall. Block everything else (default deny applies).
-
Derelict - that was it!. Previously my OpenVPN sessions were just internal so there was a PASS all rule. Removed this and now i can see what I was missing.
Thank you!