Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN for Remote User

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    9 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      akoei
      last edited by

      @rudraansh:

      It was just because I was finding it difficult and then you need to add some lines in the advance section.
      I just tried to kept it as simple as possible.

      I followed your guide, the tunnel is created successfully, and i can see route is added. From LAN computer, I can ping remote end's virtual IP, but can't communicate from remote client to LAN.
      From pfSense GUI, I noticed there are some firewall logs indicate my actions like ping to LAN IP is blocked, where the interface is "ovpns1". When I use "Easy Rule" to pass this traffic, I was told "Invalid interface for pass rule". I also tried added the pass rule from "Firewall–>Rules", OpenVPN tab, to allow incoming from OpenVPN interface, but no help.

      Anyone suffered same as me?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Did you check that the firewall rule under Firewall > Rules on the OpenVPN tab is set for 'any' protocol and not just TCP?

        I need to fix Easy Rule so it can find the openvpn ruleset properly.

        Also, I'm not sure how it works with a normal client, but with PKI on site-to-site, you need to add an iroute statement for your remote subnet on the client-specific-config tab for your common name, and then add a route statement to the server's custom options.

        Otherwise your PC just talks to the remote side using its dynamic OpenVPN interface IP as the source, and it has no idea how to route back to your PC's other IP address(es).

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          akoei
          last edited by

          @jimp:

          Did you check that the firewall rule under Firewall > Rules on the OpenVPN tab is set for 'any' protocol and not just TCP?

          I need to fix Easy Rule so it can find the openvpn ruleset properly.

          Also, I'm not sure how it works with a normal client, but with PKI on site-to-site, you need to add an iroute statement for your remote subnet on the client-specific-config tab for your common name, and then add a route statement to the server's custom options.

          Otherwise your PC just talks to the remote side using its dynamic OpenVPN interface IP as the source, and it has no idea how to route back to your PC's other IP address(es).

          I setup "OpenVPN" firewall with ALL allowed, should no problem;
          From remote PC, I can see routing table is correct (same client config works on pfSense 1.22 OpenVPN);
          From pfSense v2, system logs–>settings, if I un-check "Log packets blocked by the default rule", then I can't see those "blocked" ping logs in Firewall log, but packets still can't reach LAN PC, even pfSense virtual IP.
          Any idea?

          1 Reply Last reply Reply Quote 0
          • A
            akoei
            last edited by

            updates:
            I factory reset my current pfsense, and build exactly same OpenVPN server, it works.

            My current pfSense 2 is upgraded from 1.2.2, so when I restore my settings to the cleaned v2.0, the OpenVPN stopped working again.

            It looks like the 1.2.2 settings messed up in version 2.0, much like OpenVPN rules doesn't work on the  version 2.0 upgrade from 1.2.2

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Good to hear that you got it working!

              If you don't mind, it would be helpful to have a copy of the working and non-working configurations, including the pre-updgrade and post-upgrade copies. Sanitize them of course (remove passwords, etc) but unless we can replicate things like this, we can't smooth out the process for people in the future. :)

              If you don't want to post them in a bug report on http://redmine.pfsense.org, you can e-mail them to me at jimp (at) pfsense.org and I'll take a look.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • A
                akoei
                last edited by

                @jimp:

                Good to hear that you got it working!

                If you don't mind, it would be helpful to have a copy of the working and non-working configurations, including the pre-updgrade and post-upgrade copies. Sanitize them of course (remove passwords, etc) but unless we can replicate things like this, we can't smooth out the process for people in the future. :)

                If you don't want to post them in a bug report on http://redmine.pfsense.org, you can e-mail them to me at jimp (at) pfsense.org and I'll take a look.

                Sent to you, please check.

                1 Reply Last reply Reply Quote 0
                • A
                  akoei
                  last edited by

                  Another update, but bad news:
                  This is very frustrate. After reset to factory default, with this OpenVPN working config, I started to add options/settings based on 1.2.2, and tried to find where cause the problem. But I even didn't go too far, firewall started to block remote PC to LAN PC (I didn't change anything on firewall menu yet), while LAN PC always can ping to remote PC. I thought I was lucky since I backed up the working config, but after I restored the working config, problem still there!!!…... :((

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    @jimp:

                    I need to fix Easy Rule so it can find the openvpn ruleset properly.

                    FYI- This bit should be fixed on new snaps. I just committed a fix.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • A
                      akoei
                      last edited by

                      @jimp:

                      @jimp:

                      I need to fix Easy Rule so it can find the openvpn ruleset properly.

                      FYI- This bit should be fixed on new snaps. I just committed a fix.

                      Easy rule works, but OpenVPN packets still be blocked by "default rule":
                        block
                      Feb 17 16:36:55 ovpns1 192.168.220.6 192.168.200.2 ICMP

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.