Can connect to OVPN Server and that's about it
-
Hi all,
I am after some troubleshooting tips from the experts out there. I have an OVPN Server and a Group of OVPN Clients. Following this guide to the letter, I try and connect to the server and have all my traffic routed through it. As a bonus all traffic flowing back out to the internet should go through the VPN Clients.
I am able to connect to the server but unable to reach my LAN or go out to the the internet. I can't ping, query dns or reach a website internal or on the internet using an ip address. I see no firewall logs for the VPN Server client that connects.
I can't ask you to review all my settings but if you have any tips on what might have been wrongly configured or how to troubleshoot this it would be very much appreciated.
Thanks for any advice.
-
This post is deleted! -
@pfsblah
Can you even ping the server internal VPN IP?Did you add firewall rules to the VPN interface to allow access?
-
Hi @viragomann,
Thanks for your help. It's clear now that having all the info might be more helpful so I went and gathered as much as possible. What puzzles me the most is why the Gateway is down. I am clearly missing some understanding in that area. In any case, here are the results of my findings and settings:- Whatever I do, the
VPN Server Gateway stays Offline with 100% packet loss. I guess I should have started with that
The settings for the gateway are:
IPv4- dynamic Monitoring IP: 8.8.4.4- On my mac I get an IP on interface utun8
utun8: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM> inet 192.168.200.2 --> 192.168.200.2 netmask 0xffffff00- netstat:
Internet: Destination Gateway Flags Netif Expire default link#27 UCSg utun8 default 172.20.10.1 UGScIg en0 1.1.1.1 link#27 UHW3Ig utun8 2 4.2.2.1 link#27 UHW3Ig utun8 4 4.2.2.2 link#27 UHW3Ig utun8 4 17.253.107.19 link#27 UHWIig utun8 17.253.107.25 link#27 UHWIig utun8 127 127.0.0.1 UCS lo0 127.0.0.1 127.0.0.1 UH lo0 161.35.245.167 link#27 UHW3Ig utun8 2 169.254 link#14 UCS en0 ! 172.20.10/28 link#14 UCS en0 ! 172.20.10.1/32 link#14 UCS en0 ! 172.20.10.1 12:da:63:52:1:64 UHLWIir en0 1125 172.20.10.3/32 link#14 UCS en0 ! 172.20.10.3 92:63:82:59:92:e3 UHLWIi lo0 172.20.10.15 ff:ff:ff:ff:ff:ff UHLWbI en0 ! 192.168.20.10 link#27 UHWIig utun8 192.168.200.1 link#27 UHWIig utun8 192.168.200.2 192.168.200.2 UH utun8 224.0.0/4 link#27 UmCS utun8 224.0.0/4 link#14 UmCSI en0 ! 224.0.0.251 1:0:5e:0:0:fb UHmLWI en0 255.255.255.255/32 link#27 UCS utun8 255.255.255.255/32 link#14 UCSI en0 !- Ping myself and the server both result in 100% packet loss but that could be due to a firewall rule:
$ ping 192.168.200.2 -c 3 PING 192.168.200.2 (192.168.200.2): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 --- 192.168.200.2 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss$ ping 192.168.200.1 -c 3 PING 192.168.200.1 (192.168.200.1): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 --- 192.168.200.1 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss- Access to the internet
$ dig google.com ; <<>> DiG 9.10.6 <<>> google.com ;; global options: +cmd ;; connection timed out; no servers could be reached $ curl -v https://34.36.67.198/ * Trying 34.36.67.198:443... * connect to 34.36.67.198 port 443 from 192.168.200.2 port 64110 failed: Operation timed out * Failed to connect to 34.36.67.198 port 443 after 75002 ms: Couldn't connect to server * Closing connection curl: (28) Failed to connect to 34.36.67.198 port 443 after 75002 ms: Couldn't connect to server- Firewall rules for the VPN Interface
For a test I enabled a rule at the top with
any any any
so any protocol any_source:an_port to any_dest_any_port through default GW (WAN not VPN client group)-
DNS
My DNS Resolver has the VPN interface selected in the listNetwork Interfacesit listens on. -
Manual Outbound NAT
3 to the VPN Clients and one for testing to the WAN. They look like this:
interface: VPN (VPN Server interface) protocol: any source: VPN_subnet destination: any Translation address: VPN1_WAN address (first VPN Client in the pool)The rule is repeated another 3 times for
VPN2_WAN,VPN3_WANandWANaddressI hope this helps narrow things down. The gateway seems the obvious culprit but what can I do to debug that issue?
Thanks for any help.
- Whatever I do, the
-
@pfsblah said in Can connect to OVPN Server and that's about it:
utun8: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
inet 192.168.200.2 --> 192.168.200.2 netmask 0xffffff00This indicates wrong tunnel settings to me.
How did you configure the OpenVPN server?
Did you add a client specific override as well? -
@pfsblah said in Can connect to OVPN Server and that's about it:
Whatever I do, the VPN Server Gateway stays Offline with 100% packet loss. I guess I should have started with that
Why would you be setting a gateway on a RW setup?
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html
I have remote access into all of my networks and even internet if set client to use the vpn for all traffic - I don't have a gateway setup on this.. Only need a gateway for vpns you use outbound from pfsense.
To be honest the wizard runs through everything you need to setup a remote access, ie road warrior setup. Trying to follow some guide from some old guide for a version of pfsense 2.5 that has been EOL for years doesn't make much sense to me, when you can just click through a wizard.
-
@viragomann
The VPN Settings are as follow:IPv4 Tunnel Network : 192.168.200.0/24 Redirect IPv4 Gateway : enabled DNS Server enable : enabled DNS Server 1 : 192.168.200.1 Block Outside DNS : enabled Force DNS cache update : enabled NTP Server enable : enabled NTP Server 1 : 192.168.200.1I use the client export Utility module. The final result looks smething like the redacted following
dev tun persist-tun persist-key data-ciphers AES-256-GCM:AES-256-CBC data-ciphers-fallback AES-256-CBC auth SHA512 tls-client client resolv-retry infinite remote my.home.com 1198 udp4 setenv opt block-outside-dns lport 0 verify-x509-name "internal-ca" name auth-user-pass remote-cert-tls server explicit-exit-notify <ca> -----BEGIN CERTIFICATE----- <redacted> -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- <redacted> -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- <redacted> -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> #^M # 2048 bit OpenVPN static key^M #^M -----BEGIN OpenVPN Static key V1-----^M <redacted> -----END OpenVPN Static key V1----- </tls-auth> -
Hi @johnpoz,
Thanks for the link to the doc. I had followed thenguvudoc for my multi vpn client setup and just followed with the next to setup the VPN Server as the first setup worked well and made sense.I will read the doc and try the wizard. Maybe I should have just done that! ;)
Thanks for your time.
-
Hi @johnpoz ,
I took your advice, scratched my setup (all of it I hope) and ran the wizard. I am certainly better off but not there yet. I see a few oddities which I hope are not due to legacy settings. If you have a sec, could you give me your opinion?-
unable to reach the Internal DNS. I specify the firewall as being the DNS on that interface but it doesn't respond to queries.
-
I am however able to reach 1.1.1.1 and query the DNS
-
The internet remains unreachable, even then changing my nameserver to
1.1.1.1. I am able to reach devices in my LAN as long as I connect to them using the IP. -
I also noticed the following when doing a netstat
1.1.1.1 link#27 UHW3Ig utun8 9 4.2.2.1 link#27 UHW3Ig utun8 3 4.2.2.2 link#27 UHWIig utun8I have no clue why they are listed there. A couple of them are used to check the Gateway health of my VPN Clients and one might have been used in an earlier setup. They are not the default DNS entries of my router.
- Last but not least, I am a little ashed to say that I can't see any traffic on any interface so I need a manual reference to understand that part. Whilst running tests when connected to the RW VPN, I did some simple calls to specific ports and IPs to then try and find them in the firewall logs
$ nc -vz 192.168.1.100 6789 $ nc -vz google.com 6789but when I went to the firewall logs, I found no trace of the ip address of the connected user, no blocked traffic on the above ports, nothing. I would have expected traffic on the
OpenVPNinterface.A bit baffled by all these behaviours. At worst, I could revert back to a backup prior to any RW VPN attempt and start the wizard again...
Thanks for your help.
-
-
@pfsblah as to see traffic in your firewall logs - what are you logging, the wizard setups a any any for vpn - nothing would be logged.
If you can query the dns 1.1.1.1 from your remote vpn user, through the tunnel then internet through the tunnel should work.
What IP did you set your remote vpn users to use for dns, a lan side pfsense IP, the pfsense vpn IP - is unbound on pfsense listening on this IP, are the acls correct for your vpn tunnel IPs?
As to what those 1.1.1.1 and 4.2.2.2 are - that is not something pfsense would of ever setup on its own that is for sure.
-
@johnpoz
Thanks for all your help. I am clearly moving quicker than I can learn. I will revert to a previous backup where no VPN Server was setup and start from there. There are too many strange behaviours.Thanks for your time!
