Wireless clients can't connect to the outside
-
Hi,
Iam reading the PfSense book and decided to enable OpenVPN for all my wireless clients. I got the server up and running and deployed the certificates to both the server and one client. The client can connect to the OpenVPN server but can't connect to the internet. I have enabled AON, but not sure if it's done right.
Here are some screendumps that i hope can help.
My NAT looks like this:
http://mejborn.dk/uploads/NAT.PNG
I have made one NAT record for each of my subnets (interfaces)
And my rules for the WIFI interface looks like this:
http://mejborn.dk/uploads/rules.PNG
As you can see I have deleted all other rules so I only allows OpenVPN traffic through.
My OpenVPN server configuration looks like this:
http://mejborn.dk/uploads/VPN.PNG
As local network i've put the LAN (192.168.1.x) because that was decribed in the book, i also tried the WIFI 192.168.3.0 but that didn't work out eather.
My log looks like this:
http://mejborn.dk/uploads/log.PNG
As you can see marked in the red square it seems like the VPN clients are requesting with their normal WIFI address 192.168.3.x and not the VPN subnet 192.168.4.x also they are trying to access DNS on my WIFI interface.
Anywone that can see what i have missed?
Best regards
Mathias.
-
Forgot to list my client conf, maybe it would be helpful:
client
dev tun
proto udp
remote 192.168.3.1 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert XXX.crt
key XXX.key
pull
verb 3 -
According to your firewall log, the DNS requests go to the interface of the pfSense directly. (and get blocked)
This indicates that the traffic doesent actually go into the tunnel.Did you specify any custom options?
Namely the Push "redirect-gateway" option? -
Yes i also wondered why I didn't see any ip addresses coming from the tunnel. I asked in the irc channel yesterday an there someone also asked me to try that client specific option. I haven't tried it yet but will do it later. Just a question which subnet in the openvpn servers configuration should I type in where it says "local network" should that be the LAN or WiFi interface?
Best regardsMathias
-
The "local network" field is used to specify a route which will be pushed to the client.
The client will then use the VPN to reach this subnet.
Since you want everything to be redirected over the VPN you dont need this field. -
Thank you very much, i'll try the client option later.
Best regards.
Mathias.
-
Hi, finally i got a little bit further in my connection. Earlier i could connect to the internet when i was not connected to the openvpn tunnel, now when i establish a connection to the tunnel iam able to connect to the outside/internet. I added the push "redirect-gateway def1" to the custom options. Afterwards i deleted all other rules on the WIFI interface, so now i only got:
UDP * * * 1194 (OpenVPN) * Allow OpenVPN
Now iam not able to connect to the internet at all. Which rule should i add to allow all traffic to the outside if it comes from the tunnel? In the log iam seeing that the firewall are blocking attempts from the WIFI net 192.168.3.X when i only got the above rule.
I was thinking that i could make a rule where the source was the openvpn subnet 192.168.4.x, but then again i was thinking that that wasn't a secure solution? Normally i would make a rule that had the openvpn interface as the source but in pfsense there aren't such a ting?….
-
Bump :)
No one at all that can show me which rules they implemented to allow all traffic through the vpn tunnel and reject all other traffic?