No client Gateway/Internet routing
-
Hello,
I'm using pfSense for over a year and so far is perfect, I've learned a lot of things and I love it.
However OpenVPN setup seems to be driving me insane, sometimes it works, sometimes I need to change something and all brakes.
My setup is pretty basic:
Pfsense box with:
WAN interface (external ip)
LAN Interface (192.168.1.X), Pfsense Box 192.168.1.1 (router/DNS/pfblocker)
OpenVPN tunnel: 10.1.0.0I've setup an OpenVPN Server on the Pfsense box using a tutorial and everything used to work fine (internet was working).
However, I've made some changes to NAT Outbound and now it seems that I have no way of accessing the internet from the clients, but i can see the local LAN just fine, so my problem seems to be that the client isn't routing through the pfsense router 192.168.1.1 to WAN interface.The clients never displayed a default gateway (ipconfig on the client) but the internet worked. I've tried pushing a route, a default gateway to the clients through the server config but it didn't change anything on the client, and I admit I don't know much about command line routing, I just followed suggestions I've found to similar problems.
I've tried enabling/disabling the NAT Outbound rules to no success.
I'm attaching the configs I have right now. There could be some glaring mistake in there..
-
The push route-gateway option in the vpn server settings won't be needed.
What was you intention to set these outbound NAT rules?
Edit the first outbound NAT rule and set the destination to "any".
Delete the second rule.
The third rule is only reasonable if pfSense is not the default gateway in the connected subnets. If it is, you can delete it. -
Thank you, it worked, i now have Internet access from the client.
I guess I'm just confused about what I need to do in order to have things working like I'm imagining they should work.
Basically I want to make the client look like it's on the internal LAN (192.168.1.X) to the other LAN computers.
When I'm on the LAN with another local computer, I can see the Windows Network and the computers in the LAN in Windows Explorer. I can't see them from the OpenVPN client (Windows as well), however I can access them by IP, I can access the services (DLNA, Plex, TVHeadEnd, HDHomeRun, HomeAssistant) so that's alright.
I initially thoguht that I can "mirror" the OpenVPN client IP to the LAN network through NAT, and somehow the DHCP server would create an internal LAN IP to mirror the OpenVPN tunnel ip. That could be wrong because of my poor understanding of what NAT is and what it does, of course. I wanted to learn and by trying it and I made a change that braked what worked.
My second guess is that the solution would be something more trivial like opening ports for WINS/NetBIOS services or something like that. I didn't want to go into that because I was more curious about NAT and what I can do with pfsense to be honest. -
Basically I want to make the client look like it's on the internal LAN (192.168.1.X) to the other LAN computers.
That is what your third outbound NAT rule is good for, but only for accessing LAN devices from OpenVPN clients.
What you try to achieve can be done by using a tap device and bridging the VPN tunnel to LAN. Look here for details: https://forum.pfsense.org/index.php?topic=46984.0
-
Thanks, you are right, I need tap for Steam Streaming as well so I'll give that a try later.
However my mobile phones and devices (Android and iOS) would need tun, because as far as I've read, Android doesn't support tap, so I'll need to OpenVPN servers on the pfsense firewall.
However until I go on with the tap OpenVPN server, I've got some weird behavior with the tun server:
When I connect just 1 device, everything is working. If I connect the 2nd device, the 1st one can't resolve DNS requests (Chrome displays "resolving hosts" and displays an error after a few tries) for up to 15-20 seconds. After it resumes working, if I go to the second device, the same behavior occurs. It's like the openvpn server can't accept 2 concurrent sessions at the same time and is reconnecting whichever device has made the latest request. The openvpn clients list in the status section always displays 1 client logged in as well."Concurrent connections" in the server options is set to 3, so 2 would be fine.
I've attached the current openvpn server settings, maybe you could give me a hint about what's wrong here (if anything). Could it be the crypto selection (the pfsense hardware supports it, don't know about the phone client though) or it doesn't matter?..
-
Do you try to establish multiple vpn connections with a single user certificate?
If you intend to allow this you have to check "Duplicate connections". -
Yes, that's what I'm trying to do. It always me using different devices..