Can connect to OVPN Server and that's about it

ecoo

This post is deleted!

viragomann

@pfsblah
Can you even ping the server internal VPN IP?

Did you add firewall rules to the VPN interface to allow access?

pfsblah

Hi @viragomann,
Thanks for your help. It's clear now that having all the info might be more helpful so I went and gathered as much as possible. What puzzles me the most is why the Gateway is down. I am clearly missing some understanding in that area. In any case, here are the results of my findings and settings:

Whatever I do, the VPN Server Gateway stays Offline with 100% packet loss. I guess I should have started with that

The settings for the gateway are:

IPv4- dynamic
Monitoring IP: 8.8.4.4

On my mac I get an IP on interface utun8

utun8: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
	inet 192.168.200.2 --> 192.168.200.2 netmask 0xffffff00

netstat:

Internet:
Destination        Gateway            Flags               Netif Expire
default            link#27            UCSg                utun8
default            172.20.10.1        UGScIg                en0
1.1.1.1            link#27            UHW3Ig              utun8      2
4.2.2.1            link#27            UHW3Ig              utun8      4
4.2.2.2            link#27            UHW3Ig              utun8      4
17.253.107.19      link#27            UHWIig              utun8
17.253.107.25      link#27            UHWIig              utun8
127                127.0.0.1          UCS                   lo0
127.0.0.1          127.0.0.1          UH                    lo0
161.35.245.167     link#27            UHW3Ig              utun8      2
169.254            link#14            UCS                   en0      !
172.20.10/28       link#14            UCS                   en0      !
172.20.10.1/32     link#14            UCS                   en0      !
172.20.10.1        12:da:63:52:1:64   UHLWIir               en0   1125
172.20.10.3/32     link#14            UCS                   en0      !
172.20.10.3        92:63:82:59:92:e3  UHLWIi                lo0
172.20.10.15       ff:ff:ff:ff:ff:ff  UHLWbI                en0      !
192.168.20.10      link#27            UHWIig              utun8
192.168.200.1      link#27            UHWIig              utun8
192.168.200.2      192.168.200.2      UH                  utun8
224.0.0/4          link#27            UmCS                utun8
224.0.0/4          link#14            UmCSI                 en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI                en0
255.255.255.255/32 link#27            UCS                 utun8
255.255.255.255/32 link#14            UCSI                  en0      !

Ping myself and the server both result in 100% packet loss but that could be due to a firewall rule:

$ ping 192.168.200.2 -c 3
PING 192.168.200.2 (192.168.200.2): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

--- 192.168.200.2 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

$ ping 192.168.200.1 -c 3
PING 192.168.200.1 (192.168.200.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

--- 192.168.200.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Access to the internet

$ dig google.com

; <<>> DiG 9.10.6 <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

$ curl -v https://34.36.67.198/
*   Trying 34.36.67.198:443...
* connect to 34.36.67.198 port 443 from 192.168.200.2 port 64110 failed: Operation timed out
* Failed to connect to 34.36.67.198 port 443 after 75002 ms: Couldn't connect to server
* Closing connection
curl: (28) Failed to connect to 34.36.67.198 port 443 after 75002 ms: Couldn't connect to server

Firewall rules for the VPN Interface

For a test I enabled a rule at the top with any any any
so any protocol any_source:an_port to any_dest_any_port through default GW (WAN not VPN client group)

DNS
My DNS Resolver has the VPN interface selected in the list Network Interfaces it listens on.
Manual Outbound NAT

3 to the VPN Clients and one for testing to the WAN. They look like this:

interface: VPN (VPN Server interface)
protocol: any
source: VPN_subnet
destination: any
Translation address: VPN1_WAN address (first VPN Client in the pool)

The rule is repeated another 3 times for VPN2_WAN, VPN3_WAN and WAN address

I hope this helps narrow things down. The gateway seems the obvious culprit but what can I do to debug that issue?

Thanks for any help.

viragomann

@pfsblah said in Can connect to OVPN Server and that's about it:

utun8: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
inet 192.168.200.2 --> 192.168.200.2 netmask 0xffffff00

This indicates wrong tunnel settings to me.

How did you configure the OpenVPN server?
Did you add a client specific override as well?

johnpoz

@pfsblah said in Can connect to OVPN Server and that's about it:

Whatever I do, the VPN Server Gateway stays Offline with 100% packet loss. I guess I should have started with that

Why would you be setting a gateway on a RW setup?

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html

I have remote access into all of my networks and even internet if set client to use the vpn for all traffic - I don't have a gateway setup on this.. Only need a gateway for vpns you use outbound from pfsense.

To be honest the wizard runs through everything you need to setup a remote access, ie road warrior setup. Trying to follow some guide from some old guide for a version of pfsense 2.5 that has been EOL for years doesn't make much sense to me, when you can just click through a wizard.

pfsblah

@viragomann
The VPN Settings are as follow:

 IPv4 Tunnel Network : 192.168.200.0/24
 Redirect IPv4 Gateway : enabled
 DNS Server enable : enabled
 DNS Server 1 : 192.168.200.1
 Block Outside DNS : enabled
 Force DNS cache update : enabled
 NTP Server enable : enabled
 NTP Server 1 : 192.168.200.1

I use the client export Utility module. The final result looks smething like the redacted following

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote my.home.com 1198 udp4
setenv opt block-outside-dns
lport 0
verify-x509-name "internal-ca" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

<ca>
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
<redacted>
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#^M
# 2048 bit OpenVPN static key^M
#^M
-----BEGIN OpenVPN Static key V1-----^M
<redacted>
-----END OpenVPN Static key V1-----
</tls-auth>

pfsblah

Hi @johnpoz,
Thanks for the link to the doc. I had followed the nguvu doc for my multi vpn client setup and just followed with the next to setup the VPN Server as the first setup worked well and made sense.

I will read the doc and try the wizard. Maybe I should have just done that! ;)

Thanks for your time.

pfsblah

Hi @johnpoz ,
I took your advice, scratched my setup (all of it I hope) and ran the wizard. I am certainly better off but not there yet. I see a few oddities which I hope are not due to legacy settings. If you have a sec, could you give me your opinion?

unable to reach the Internal DNS. I specify the firewall as being the DNS on that interface but it doesn't respond to queries.
I am however able to reach 1.1.1.1 and query the DNS
The internet remains unreachable, even then changing my nameserver to 1.1.1.1. I am able to reach devices in my LAN as long as I connect to them using the IP.
I also noticed the following when doing a netstat

1.1.1.1            link#27            UHW3Ig              utun8      9
4.2.2.1            link#27            UHW3Ig              utun8      3
4.2.2.2            link#27            UHWIig              utun8

I have no clue why they are listed there. A couple of them are used to check the Gateway health of my VPN Clients and one might have been used in an earlier setup. They are not the default DNS entries of my router.

Last but not least, I am a little ashed to say that I can't see any traffic on any interface so I need a manual reference to understand that part. Whilst running tests when connected to the RW VPN, I did some simple calls to specific ports and IPs to then try and find them in the firewall logs

$ nc -vz 192.168.1.100 6789
$ nc -vz google.com 6789

but when I went to the firewall logs, I found no trace of the ip address of the connected user, no blocked traffic on the above ports, nothing. I would have expected traffic on the OpenVPN interface.

A bit baffled by all these behaviours. At worst, I could revert back to a backup prior to any RW VPN attempt and start the wizard again...

Thanks for your help.

johnpoz

@pfsblah as to see traffic in your firewall logs - what are you logging, the wizard setups a any any for vpn - nothing would be logged.

If you can query the dns 1.1.1.1 from your remote vpn user, through the tunnel then internet through the tunnel should work.

What IP did you set your remote vpn users to use for dns, a lan side pfsense IP, the pfsense vpn IP - is unbound on pfsense listening on this IP, are the acls correct for your vpn tunnel IPs?

As to what those 1.1.1.1 and 4.2.2.2 are - that is not something pfsense would of ever setup on its own that is for sure.

pfsblah

@johnpoz
Thanks for all your help. I am clearly moving quicker than I can learn. I will revert to a previous backup where no VPN Server was setup and start from there. There are too many strange behaviours.

Thanks for your time!

Gertjan

@pfsblah said in Can connect to OVPN Server and that's about it:

unable to reach the Internal DNS. I specify the firewall as being the DNS on that interface but it doesn't respond to queries.

Could be this : ask yourself : is unbound, the pfSense resolver listen to the the OpenVPN server interface ? It should do so, so it can handle DNS traffic from VPN connected clients.

The default resolver setting will do just fine :

Also check that you are not using ACLs, and if you do, you've included the OpenVPN server interface.

Normally, when you have a default pfSense and you execute the wizard, or, way more fun, use the official video guide (there are several old ones, but still very valid - there are 2 (3 ?) OpenVPN server videos) and a more recent one here you should have a working access.
Remember : first, make it work. Do exactly as indicated. As soon as it work, you can add/make changes. From now on, as soon as it fails, you know what went wrong.

And the official doc : https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html

pfsblah

Many thanks @Gertjan, I will be doing just that. I will revert to changes I made prior to setting up the RW VPN and follow the wizard. It means I'll have to reset a lot of things but I will check every thing works at each step.

Thanks for taking the time.

pfsblah

@johnpoz, @Gertjan, @viragomann
I can't give thumbs up but I wanted to thank you all for your help. I got it working.

I ended up not reverting to a previous version and worked the problems instead.

I have a big DNS problem which I was able to fix. After that is was a simple question of setting the correct rules.

Again, thank you all for taking the time to help and point me in the right direction.

Gertjan

@pfsblah said in Can connect to OVPN Server and that's about it:

I can't give thumbs up

Gave you one