OpenVPN for Remote User
-
It was just because I was finding it difficult and then you need to add some lines in the advance section.
I just tried to kept it as simple as possible.I followed your guide, the tunnel is created successfully, and i can see route is added. From LAN computer, I can ping remote end's virtual IP, but can't communicate from remote client to LAN.
From pfSense GUI, I noticed there are some firewall logs indicate my actions like ping to LAN IP is blocked, where the interface is "ovpns1". When I use "Easy Rule" to pass this traffic, I was told "Invalid interface for pass rule". I also tried added the pass rule from "Firewall–>Rules", OpenVPN tab, to allow incoming from OpenVPN interface, but no help.Anyone suffered same as me?
-
Did you check that the firewall rule under Firewall > Rules on the OpenVPN tab is set for 'any' protocol and not just TCP?
I need to fix Easy Rule so it can find the openvpn ruleset properly.
Also, I'm not sure how it works with a normal client, but with PKI on site-to-site, you need to add an iroute statement for your remote subnet on the client-specific-config tab for your common name, and then add a route statement to the server's custom options.
Otherwise your PC just talks to the remote side using its dynamic OpenVPN interface IP as the source, and it has no idea how to route back to your PC's other IP address(es).
-
Did you check that the firewall rule under Firewall > Rules on the OpenVPN tab is set for 'any' protocol and not just TCP?
I need to fix Easy Rule so it can find the openvpn ruleset properly.
Also, I'm not sure how it works with a normal client, but with PKI on site-to-site, you need to add an iroute statement for your remote subnet on the client-specific-config tab for your common name, and then add a route statement to the server's custom options.
Otherwise your PC just talks to the remote side using its dynamic OpenVPN interface IP as the source, and it has no idea how to route back to your PC's other IP address(es).
I setup "OpenVPN" firewall with ALL allowed, should no problem;
From remote PC, I can see routing table is correct (same client config works on pfSense 1.22 OpenVPN);
From pfSense v2, system logs–>settings, if I un-check "Log packets blocked by the default rule", then I can't see those "blocked" ping logs in Firewall log, but packets still can't reach LAN PC, even pfSense virtual IP.
Any idea? -
updates:
I factory reset my current pfsense, and build exactly same OpenVPN server, it works.My current pfSense 2 is upgraded from 1.2.2, so when I restore my settings to the cleaned v2.0, the OpenVPN stopped working again.
It looks like the 1.2.2 settings messed up in version 2.0, much like OpenVPN rules doesn't work on the version 2.0 upgrade from 1.2.2
-
Good to hear that you got it working!
If you don't mind, it would be helpful to have a copy of the working and non-working configurations, including the pre-updgrade and post-upgrade copies. Sanitize them of course (remove passwords, etc) but unless we can replicate things like this, we can't smooth out the process for people in the future. :)
If you don't want to post them in a bug report on http://redmine.pfsense.org, you can e-mail them to me at jimp (at) pfsense.org and I'll take a look.
-
Good to hear that you got it working!
If you don't mind, it would be helpful to have a copy of the working and non-working configurations, including the pre-updgrade and post-upgrade copies. Sanitize them of course (remove passwords, etc) but unless we can replicate things like this, we can't smooth out the process for people in the future. :)
If you don't want to post them in a bug report on http://redmine.pfsense.org, you can e-mail them to me at jimp (at) pfsense.org and I'll take a look.
Sent to you, please check.
-
Another update, but bad news:
This is very frustrate. After reset to factory default, with this OpenVPN working config, I started to add options/settings based on 1.2.2, and tried to find where cause the problem. But I even didn't go too far, firewall started to block remote PC to LAN PC (I didn't change anything on firewall menu yet), while LAN PC always can ping to remote PC. I thought I was lucky since I backed up the working config, but after I restored the working config, problem still there!!!…... :(( -
I need to fix Easy Rule so it can find the openvpn ruleset properly.
FYI- This bit should be fixed on new snaps. I just committed a fix.
-
