Port Forwarding w/ OpenVPN Tunnel - What am I doing wrong?

techbooties · Dec 31, 2023, 4:36 PM

Hi - Did some research here, and everything I am seeing makes me this this should work, but alas.. It does not.

Scenario:

OpenVPN Tunnel to a new VPN Provider (AirVPN)
Oubound Traffic works, connection successful & stable.
Client's are part of an alias group & clients in the alias group connect to problem to the outside.
Inbound traffic on a specified port, to a machine in the alias group, via VPN interface appears to be blocked. Nothing in the firewall logs. I do see traffic in the Packet Capture attempting to send traffic to me.

Thank you in advance for any insight! I suspect that I may have a conflict with my general drop rule, but also not sure on what specifics I could be missing.

Interfaces:
🔒 Log in to view

Aliases:
🔒 Log in to view

Firewall -> NAT -> Port Forward:
🔒 Log in to view

Firewall -> NAT -> Outbound:
🔒 Log in to view

Firewall -> Rules -> Floating (To block VPN Addresses from using WAN IP directly)
🔒 Log in to view

Firewall -> Rules -> LAN (Ignore the gateway names, I updated the interfaces etc. switching to this new VPN provider.)
🔒 Log in to view

Firewall -> Rules -> VPN_WAN
🔒 Log in to view

Packet Capture:
🔒 Log in to view

viragomann · Jan 1, 2024, 2:01 PM

@techbooties said in Port Forwarding w/ OpenVPN Tunnel - What am I doing wrong?:

Client's are part of an alias group & clients in the alias group connect to problem to the outside.

Inbound traffic on a specified port, to a machine in the alias group, via VPN interface appears to be blocked. Nothing in the firewall logs. I do see traffic in the Packet Capture attempting to send traffic to me.
Packet Capture:

Sniff the traffic on the LAN interface to verify if it is blocked on pfSense.
If you can see the forwarded packets there, the traffic is probably blocked by the destination host.
Does it even listen on port 47161?

Firewall -> Rules -> Floating (To block VPN Addresses from using WAN IP directly)

This rule only blocks the host in the stated alias. But this makes no sense, since any traffic from this alias is directed to the VPN gateway by LAN policy routing rule and if the rule is omitted due to the gateway is down, any traffic is blocked by the next rule.

techbooties · Jan 1, 2024, 2:01 PM

@viragomann - Thx for the response. To clarify your points:

I was only saying that there is one IP (10.13.31.22) in the group "VPNAccess" which is an alias, per the guides followed. In my case, this is the only IP that should use the VPN (in the past, I had a few more in there but since consolidated.)
Telnet locally to the client from another local machine works on the port:
🔒 Log in to view
I sniffed on LAN, from the router to the client, and the ports show up. (When using another local to local host, it won't show up in the sniff, due to never hitting the router.) (Note: Ignore the hostname, it's a local domain, resolved locally at the moment.)
🔒 Log in to view

techbooties · Jan 9, 2024, 2:24 PM

Is there anyone else with a similar problem?

viragomann · Jan 9, 2024, 8:44 PM

@techbooties
Again, sniff the traffic on LAN using packet capture, while you try to access the service via VPN.
Post the result, please.

techboot · Jan 10, 2024, 1:01 PM

@viragomann - Thanks for the post. Was what I pasted previously in response to your question initially, not sufficient? I thought that I had done what you suggested?

viragomann · Jan 10, 2024, 1:15 PM

@techboot
You posted a pcap of LAN, while you obviously did a telnet from pfSense itself. And this seems to work.
However, I requested to sniff the traffic on LAN, while you access the server from outside via VPN.

techboot · Jan 13, 2024, 7:09 PM

@viragomann

Thanks -- Just got back to this today.

🔒 Log in to view

When I try the same telnet as above, I don't get any kind of connection. When using Lan to Lan I get a connection via telnet, so I can't say that the host machine is blocking this?

techbooties · Jan 14, 2024, 1:27 PM

@viragomann -- I wanted to add a detail that the VPN provider is issuing private IP addresses (ie: 10.X.X) but I imagine that is commonplace with every kind of VPN provider at this stage. Is there a rule I am missing?

I tried a block all rule on the VPN interface to see if I could get any kind of logging, and there was nothing even in the firewall block logs.

viragomann · Jan 14, 2024, 4:06 PM

@techboot
You're using a different destination port now, as allowed in the NAT rule?

Don't know, what kind of connection this is. It basically looks fine, but not any packet has a payload. So maybe it's just "keep alive" communication.

@techbooties said in Port Forwarding w/ OpenVPN Tunnel - What am I doing wrong?:

I wanted to add a detail that the VPN provider is issuing private IP addresses (ie: 10.X.X) but I imagine that is commonplace with every kind of VPN provider at this stage.

Changed the forum username?
No, it's not normal to masquerade the source IP.
And I was expecting to see a public IP.

techboot · Jan 14, 2024, 4:31 PM

@viragomann

I must have created a second account and didn't realize Google had an account linked and stored the other. Sorry for this confusion. I will clean up the duplicate account, but don't want to delete it mid-thread.

Yes, I changed the port number from the VPN provider... it's a static port, with the option to release and request a new one if needed.

So basically VPN provider (AirVPN) has public IP -> private IP with assigned port to route towards it (mine, when connected with the client) -> pfsense -> local machine

🔒 Log in to view

So my running theory now is that since I am being assigned a 10.x IP by the VPN provider upon connection to them, there is something I am missing fundamentally in my config?

techboot · Jan 14, 2024, 4:35 PM

@viragomann

Adding my outbound NAT for your reference:

🔒 Log in to view

viragomann · Jan 14, 2024, 4:35 PM

@techboot
This whole thread is already pretty confusing. In the screenshot above on the VPN interface, I can see public source IP. But then you say, the provider replaces it with a private one (masquerading)...

To get a step beyond, do a simple test, please:
Add an outbound NAT rule for the incoming traffic:
Interface: LAN
source: any
destination: <server IP>/32
translation: interface address

Check if you get access from outside.

techboot · Jan 14, 2024, 4:41 PM

@viragomann

To clarify when you say "server ip" do you want the public ip as seen in the screenshot or the assigned internal IP via Masquerading?

viragomann · Jan 14, 2024, 4:46 PM

@techboot
It's local IP.

Edit:
also flush the states after adding the rule.

techboot · Jan 14, 2024, 4:58 PM

@viragomann

No change. To confirm:

NAT:
🔒 Log in to view

Outbound NAT:
🔒 Log in to view

Rules (VPN Interface)
🔒 Log in to view

VPN Provider Port Check Tool: (Note, telnet to the public IP from an outside IP (ie: an Azure VPS, yields the same result)
🔒 Log in to view

--

In an effort to maybe make this easier, should I delete this thread and re-make it? I will remove all of the rules, NAT, etc.. reboot for good measure and start over with all of the details / information in one post based on your feedback and comments thus far?

viragomann · Jan 14, 2024, 5:03 PM

@techboot said in Port Forwarding w/ OpenVPN Tunnel - What am I doing wrong?:

NAT:

And the mess goes on...
10.13.31.22 is your VPN interface address. The NAT IP has to be your internal server IP!

Also you should limit the destination IP. Your may set it to the interface address.

techboot · Jan 14, 2024, 5:04 PM

@viragomann

10.13.31.22 is my internal IP.

The 10.65.130.4 is the IP assigned by the VPN provider.

viragomann · Jan 14, 2024, 5:07 PM

@techboot
Ah ya. So you need to edit the outbound NAT rule and correct the destination IP.

techboot · Jan 14, 2024, 5:13 PM

@viragomann

Cleared States.

🔒 Log in to view

--
🔒 Log in to view

--

I am confused what you mean by limit the destination IP and limit to the interface address. I assume you mean on the port forward tab?