No traffic over CloudConnexa Connector

Bambos

@viragomann yes, there are many devices on this LAN , able to respond to foreign networks sources, similar configuration i have between between 2 pfsense devices.

Everything seems ok in terms of the connector , IP services, Route on Cloudconnexa , everything online. Also i have a correct route push to the remote access Client by the Open VPN Connect app.
On the pfsense, the tunnel is established succesfully using the CA and Certificate / KEY , and the gateway is initiated successfully and IP's are assigned.
Finally i have an allow rule on the pfsense cloudconnexa VPN interface that i assigned by the vpn client instance. All routes are in place. but still no traffic.

viragomann

@Bambos
So you say, everything is set correctly, but it doesn't work. And you don't provide real configuration details. So how should anybody here help you?

Then go to your pfSense and sniff the traffic on the incoming VPN interface and on that towards the destination device, while you try to access it.
Then come back with results.

Bambos

@viragomann I'm very happy to share all the details, but this cloudconnexa platform is self managed with default tunnels etc... you just set a "connector" for the site to site VPN tunnel, and routing to destination network through that "connector".

The connector is site to site on Cloudconnexa for pfSense (between many more providers). For this there is option to create a Route to destination network for remote access clients, and "IP Service" for the site to site connection. i have followed this: https://openvpn.net/cloud-docs/owner/routers/router-user-guides/using-cloudconnexa-profile-to-configure-pfsense.html
which is a single configuration for the site to site tunnel. (nothing to set really).

Like below:

On the pfsense site:

and an allow all rule on the VPN interface.

On the Windows Client:

viragomann

@Bambos
So obviously Windows is not respecting the shown route.
Maybe there is another route for this destination with higher priority?

Bambos

@viragomann Thanks for the hint. the routing is clean on the windows client.

Since my pfSense to pfsense (site to site) and then remote access to pfsense tunnels are working, after your comment i suspected that something is wrong with CloudConnexa and open a support ticket there. I'm coming back with news, after they ask all the basic things. :)

viragomann

@Bambos
As I understood this setup, there is
LAN <-> pfSense <-> VPN to CloudConnexa <-> VPN to Windows client

And the above screenshots are from the Winodws client. The first one obviously shows a static route, but the tracert in the second does not follow it.

Bambos

@viragomann yes, exactly this is the setup.
I had a foreign partner asking for access on a specific device inside the LAN. 192.168.47.22. I suggest to have a small pfsense, hardware or VM on their side to serve as open vpn server, so i can establish a tunnel to it and gain access to the device by remote access VPN Server.
They search for a cloud alternative instead, and suggested CloudConnexa, which is openvpn.com service. to my understanding, pre-defined instances of Open VPN Servers to accept multiple connections and also provide remote Access VPN to users.

Let's hope the folks handling the CloudConnexa ticket will support. I'm coming back for any updates.

Bambos

@viragomann i got some strange updates with this VPN Setup.

It NEEDS the dedicated VPN interface to be assigned, but also needs the bogon networks unblocked. (private networks blocked or unblocked has nothing to do) i don't know why. Is working like below:

But also another strange thing, is that the actuall traffic of the VPN Tunnel is working through the OpenVPN interface, (which is for remote access) if i'm not mistaken.

For Site to Site tunnel, i was expecting to have all the traffic to the dedicated VPN Tunnel interface.
Can i have your comments on that ?? Is it incompatibility between pfsense versions ? or cloudconnexa issue ??

viragomann

@Bambos said in No traffic over CloudConnexa Connector:

It NEEDS the dedicated VPN interface to be assigned, but also needs the bogon networks unblocked. (private networks blocked or unblocked has nothing to do) i don't know why.

OMG, they indeed use bogon for the OpenVPN tunnel and obviously they do masquerading (S-NAT) on traffic to your site.
Without masquerading, you would have to allow private networks.
This means, traffic from the remote to your site is coming in from the source of the VPN servers virtual IP.

But also another strange thing, is that the actuall traffic of the VPN Tunnel is working through the OpenVPN interface, (which is for remote access) if i'm not mistaken.
For Site to Site tunnel, i was expecting to have all the traffic to the dedicated VPN Tunnel interface.

The "OpenVPN" is an interface group in fact. It is automatically created by pfSense, when firing up the first OpenVPN instance, either server or client. So it also includes both types.

You have to know, that rules on interface groups are probed first, so they have priority over ones on member interfaces. So if a rule on the group applies, block, reject or pass, rules on the member interface are ignored.

Bambos

@viragomann Thanks for the info.

I have other site to site tunnels between pfsense boxes, and there is no rule on OpenVPN interface, and all the rules apply to the dedicated assigned interface.

What is the difference with this setup ??

viragomann

@Bambos said in No traffic over CloudConnexa Connector:

I have other site to site tunnels between pfsense boxes, and there is no rule on OpenVPN interface, and all the rules apply to the dedicated assigned interface.

What is the difference with this setup ??

As I mentioned, OpenVPN is an interface group. Rules on this tab are applied to all OpenVPN instances on the machine.

Refer to the docs:
Interface Groups
Rule Processing Order