Open ports through OPEN VPN
-
@Cliffb said in Open ports through OPEN VPN:
This is the open VPN rules tab
So why didn't you remove the pass rule as I suggested?
are you saying this should be set to Hybrid
Hybrid mode is suitable for sure. With this pfSense has enabled the automatic rules and manual rules as well.
-
Hi
I had removed the static rule but it made no difference.
but I will remove again and set to hybrid and try again, thanks for your patience
Cliff
-
Hi, right I have enabled hybrid outbound NAT which has added some entries at the bottom
and the openVPN tab has no rules
my openvpn client has only this NAT rule
The WAN rules are empty and LAN only has the defaults
Anything I may have missed, and is there something else stopping this, if I go to diagnostics and pftop, I am not seeing any port 80 traffic.
appreciate your assistance
Cliff
-
@Cliffb
It would not work if a pass rule on the OpenVPN tab matches the incoming traffic.Could be that the destination server blocks access from outside.
To investigate on pfSense, use Diagnostic > Packet Capture to sniff the traffic.
On OPT1 interface you should see the incoming packets on port 80.
If you only see request packets there, but no responses, sniff on the LAN interface. If it's the same there your server doesn't respond. If there are response packets as well we have to dig further. -
It appears no traffic on port 80 is hitting the openvpn client interface to come in.
so incase I have missed something further upstream.
I have a ubuquiti USG3 and the PFsense is running on LAN port 2
Lan port 2 is giving DHCP address of 192.168.2.6 to the WAN side of PFsense
there are no rules in the USG3 firewall for that Lan port 2.I assume no rules are required as tunnel is established from the pfsense outbound and traffic comes in via the tunnel. ? and before the pfsense firewall was put in, I used the purevpn client on the webserver and I could get in to the webserver from the internet, just to test that I can get to the webserver from outside via the purevpn tunnel..
with the packet capture I am not seeing anything inbound looking like its headed to the webserver. So could my issue be elsewhere in the setup.?
I am still thinking its something in the pfsense setup, but dont understand where or where to look
thanks
Cliff
-
@Cliffb
Since pfSense establish the VPN to the provider, the USG is not in the play here.
The incoming packets to port 80 should be destined to the OPT1 address, which should be your virtual VPN IP. So I'd expect that you can see the packets there if the VPN is working.As you say, it works if you connect the webserver directly, this should mean that there is all setup correctly at the provider.
So on your site you can just ensure, that the VPN is connected properly.
Check Status > OpenVPN and the OpenVPN log to see if there is something wrong.On the webserver did you configure the network properly and set the default gateway to the pfSense LAN IP?
Can you try to connect the VPN on the server through pfSsense? -
hey, thanks for getting back to me
not seeing any packets coming in at all, plenty going out and I can get out through the VPN
the open vpn log is showing good, I cant put a screen shot as Currently been playing remotely from the server and changed some settings and locked myself, but that will be fixed when I get back to the machine.
I did read somewhere that openVPN client connecting to purevpn will allow outbound but not inbound.. so could be the issue that the openVPN connection to pure vpn is a one way connection..
which if so that sucks ! I needed to get to some equipment on my lan from the internet and CGNAT is stopping it, I was hoping this was the cure, may have to have a total re-think
Cliff
-
OK ,, worked out why now, so after all that effort PureVPN only support ports inbound on certain devices, OpenVpn not supported for inbound allegedly, when why I cant see any packets coming in..
not that I understand what they are saying as allegedly OpenVPN is supported for inbound on dd-WRT.. would have thought it would have been pretty much the same.
have to have a rethink now... thanks for your efforts
Cliff
-
@Cliffb
Don't know, how much you pay for this service. But consider to run your own VPS with a public IP and an VPN server. This way you can forward any port to your home network. However, it might cost a bit more. -
@viragomann That actually sounds like a proper idea. not happy with this vpn service at all..
thanks for your help, I think I'll go that route this has not got me very far, just have to find a good VPS and go with that
thanks