OpenVPN client connection gets blocked by default block rule
-
I've set up an OpenVPN client connection on a pfSense '2.0.1-RELEASE (amd64)' installation.
In the setup of the OpenVPN connection I've roughly followed 'http://forum.pfsense.org/index.php/topic,29944.0.html'. The connection appears to work: After gettingopenvpn[15115]: initialization Sequence Completed
I'm able to ping and ssh to hosts in the VPN. After some seconds, this ceases to work. I getopenvpn[15115]: write TCPv4_CLIENT: Operation not permitted (code=1)
in the OpenVPN log and```
WAN <my external="" wan="" ip="">:54376 <vpn server="" ip="">:</vpn></my>I really don't understand why the default rule blocks traffic to the VPN server despite the existence of a rule explicitly allowing this traffic. Can someone help me fix this?
-
What exactly does the blocked log look like? The TCP connection is falling apart somehow, most likely because of asymmetric routing I would guess but impossible to say from the info there. Allow everything doesn't allow everything, it blocks TCP traffic that isn't part of an existing connection and isn't opening a new connection (SYN). So either something is causing your states to drop, or somehow the firewall isn't sanely getting the traffic because of odd routing.
-
The log entry created by the default block rule is:```
WAN <my external="" wan="" ip="">:54376 <vpn server="" ip="">:</vpn></my>What do you mean by 'asymmetric routing'? Since I can ssh to the VPN machines without problems (either before getting cut off or with disabled firewall), I assume the routing is OK.
-
What TCP flags though? It'll show them there, that's the important part.
The log entry created by the default block rule is:```
WAN <my external="" wan="" ip="">:54376 <vpn server="" ip="">:</vpn></my>No. Rules cannot cut connections. Once a connection is open, the rules are never evaluated on that connection, same way every firewall works. The state is apparently getting dropped from the description, though no idea why from what you describe. Anything in the system log around when it happens?
-
Here's the excerpt from the openvpn log:```
Feb 1 12:12:57 pfSense openvpn[21902]: WARNING: 'ifconfig' is present in remote config but missing in local config
Feb 1 12:12:57 pfSense openvpn[21902]: [VPN_Gateway] Peer Connection Initiated with [AF_INET]<vpn server="" ip="">:5018
Feb 1 12:12:59 pfSense openvpn[21902]: write TCPv4_CLIENT: Operation not permitted (code=1)
Feb 1 12:13:01 pfSense openvpn[21902]: write TCPv4_CLIENT: Operation not permitted (code=1)
Feb 1 12:13:05 pfSense openvpn[21902]: write TCPv4_CLIENT: Operation not permitted (code=1)</vpn>Here the corresponding firewall log (the '5018' in the grep command is the port of the VPN server):``` clogf -f firewall.log | grep -B 1 5018 Feb 1 12:12:59 pfSense pf: 00:00:00.362490 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 1407, offset 0, flags [DF], proto TCP (6), length 158) Feb 1 12:12:59 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], cksum 0x62fb (correct), ack 3804880805, win 516, options [nop,nop,TS val 48135 ecr 1395865866], length 106 – Feb 1 12:13:00 pfSense pf: 00:00:00.135180 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 13035, offset 0, flags [DF], proto TCP (6), length 158) Feb 1 12:13:00 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], cksum 0x62d8 (correct), ack 1, win 516, options [nop,nop,TS val 48170 ecr 1395865866], length 106 – Feb 1 12:13:00 pfSense pf: 00:00:00.097251 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 58605, offset 0, flags [DF], proto TCP (6), length 158) Feb 1 12:13:00 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], cksum 0x62a6 (correct), ack 1, win 516, options [nop,nop,TS val 48220 ecr 1395865866], length 106 – Feb 1 12:13:01 pfSense pf: 00:00:00.065911 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 54181, offset 0, flags [DF], proto TCP (6), length 158) Feb 1 12:13:01 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], cksum 0x6256 (correct), ack 1, win 516, options [nop,nop,TS val 48300 ecr 1395865866], length 106 – Feb 1 12:13:02 pfSense pf: 00:00:00.245587 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 64763, offset 0, flags [DF], proto TCP (6), length 158) Feb 1 12:13:02 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], cksum 0x61ba (correct), ack 1, win 516, options [nop,nop,TS val 48350 ecr 1395865866], length 106 – Feb 1 12:13:02 pfSense pf: 00:00:00.009199 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 53283, offset 0, flags [DF], proto TCP (6), length 264) Feb 1 12:13:02 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], ack 1, win 516, options [nop,nop,TS val 48440 ecr 1395865866], length 212 – Feb 1 12:13:05 pfSense pf: 00:00:00.197947 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 30122, offset 0, flags [DF], proto TCP (6), length 158) Feb 1 12:13:05 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], cksum 0x6015 (correct), ack 1, win 516, options [nop,nop,TS val 48665 ecr 1395865866], length 106 Feb 1 12:13:05 pfSense pf: 00:00:00.000135 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 53624, offset 0, flags [DF], proto TCP (6), length 158) Feb 1 12:13:05 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], cksum 0x64db (correct), ack 1, win 516, options [nop,nop,TS val 48665 ecr 1395865866], length 106 – Feb 1 12:13:05 pfSense pf: 00:00:00.031787 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 17266, offset 0, flags [DF], proto TCP (6), length 476) Feb 1 12:13:05 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], ack 1, win 516, options [nop,nop,TS val 48700 ecr 1395865866], length 424 – Feb 1 12:13:07 pfSense pf: 00:00:00.179927 rule 2/0(match): block out on pppoe0: (tos 0x0, ttl 64, id 7704, offset 0, flags [DF], proto TCP (6), length 158) Feb 1 12:13:07 pfSense pf: <wan ip="">.40395 > <openvpn server="" ip="">.5018: Flags [P.], cksum 0x6394 (correct), ack 1, win 516, options [nop,nop,TS val 48886 ecr 1395865866], length 106</openvpn></wan></openvpn></wan></openvpn></wan></openvpn></wan></openvpn></wan></openvpn></wan></openvpn></wan></openvpn></wan></openvpn></wan></openvpn></wan>
The system log only shows these two messages, probably caused by enabling the OpenVPN client configuration:```
Feb 1 12:12:52 pfSense check_reload_status: Reloading filter
Feb 1 12:12:55 pfSense check_reload_status: Syncing firewall -
That does look like what I described above. Is your gateway monitoring not setup correctly to detect whether you're online? Status>Gateways should show it as up, if it doesn't, you're going to kill states on filter reloads. You can turn that off under System>Advanced, Misc, check box under "Gateway Monitoring" to work around if you don't want to fix your gateway monitoring (it's not really necessary unless you have multi-WAN anyway)
-
YES!
I've disabled gateway monitoring and the connection doesn't get cut anymore. I haven't taken care of setting up gateway monitoring because I thought it's simple monitoring (i.e. 'nice to know' information).Thank you for your help!