Problem tunneling all client traffic through openVPN
-
tell me if i misread:
So basically you want your roadwarrior to access the internet over the VPN.It resolves dns using the VPN. It's able to contact host within the PFsense LAN.
And firewall rules should not block it's way out.My first guess would be that this is a NAT issue. Try using AON (advanced outbound nat).
Do not enable this from a remote location if you have complex routing!
Once enable make sure to create a NAT rule on you WAN connections for the VPN-subnet.jeroen
-
I have AON enabled and have this rule:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
WAN2 10.0.8.0/24 * * * * * NOI also added one for the WAN incase it was coming through there
WAN 10.0.8.0/24 * * * * * NOStill no joy
-
can you tell me what device 10.0.8.5 is ? (you use it as gateway), but it appears that your pfsense is 10.0.8.1
-
Thats is a good question, it is what pfsense has defaulted it to, I do not specify 10.0.8.5 anywhere.
What do you suggest, should i add in the advanced option:
push "redirect-gateway def1"Edit tried adding the above and I get no output under gateway when viewing ipconfig /all
-
here are some screen shots which someone can hopefully help with:
-
Here is my configuration for road warrior from the top to bottom in the GUI (if I use xxxx this means its filled but not specified here):
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for auth: Local Database
protocol: UDP
device mode: tun
interface: WAN
local port: xxxx
description: xxxx
TLS Authentication checked with a 2048bit key
peer certificiate authority: xxxx
Server Certificate: xxxx
DH Paramaters Length: 2048 bits
Encryption Algorithm: xxxx
Hardware crypto: xxxx
Certificiate depth: xxxx
Tunnel Network: 10.0.0.0/24
Redirect Gateway: checked
Compression: checked
Dynamic IP: checked
Address Pool: Checked
DNS Default Domain: checked
DNS Servers: filled
Advanced: user nobody;group nobody–---- Here is the actual config file itself inside /var/etc/openvpn generated by openvpn –-----
(all of these options are automatically generated based on my options selected in the GUI except
the user nobody;group nobody advanced options)dev ovpns2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher xxxx
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxxx
tls-server
server 10.0.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/xxxx.php via-env
tls-verify /var/etc/openvpn/xxxx.tls-verify.php
lport xxxx
management /var/etc/openvpn/xxxx.sock unix
push "route xxxx 255.255.255.0"
push "dhcp-option DOMAIN xxxx"
push "dhcp-option DNS xxxx"
push "redirect-gateway def1"
ca /var/etc/openvpn/xxxx.ca
cert /var/etc/openvpn/xxxx.cert
key /var/etc/openvpn/xxxx.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/xxxx.tls-auth 0
comp-lzo
persist-remote-ip
float
user nobody
group nobody---------- My NAT Out rule under AON –-----------
Interf. Source s.port dest. d.port NAT addr Stat.prt descr.
WAN 10.0.0.0/24 * * * * * NO Description---------- My firewall rule under the OpenVPN tab under Firewall > Rules –----
ID Proto Source port Dest. Port Gate Queue Sched. Descrip.
* 10.0.0.0/24 * * * * * -
I didn't include my external firewall rule, but yours looks fine.
You can ping internal addresses on the OpenVPN network from the client OK correct? I had this problem recently when I upgraded to 2.0.1 but it was just a fundamental NAT issue.
All of your configuration seems fine… ArgH.
-
yes i can ping PC's on the LAN. I can't get my head around it!
-
When my problem with NAT was going on.. I had the same symptom.
No firewall block would show because it wasn't getting blocked.
The client could resolve hostnames no problem but couldn't ping back out the gateway.Are you sure all of the subnets in your firewall/NAT rules are correct to the client pool subnet for the warrior vpn?
yes i can ping PC's on the LAN. I can't get my head around it!
-
Try leaving concurrent connections blank.
Remove your redirect gateway def1 entry in advanced options if its still there, the checkbox in the GUI will suffice. -
Try leaving concurrent connections blank.
Remove your redirect gateway def1 entry in advanced options if its still there, the checkbox in the GUI will suffice.Tried that, didn't fix it.
Are you sure all of the subnets in your firewall/NAT rules are correct to the client pool subnet for the warrior vpn?
No, most of those NAT were made automatically.
Come to think of it I will have to play with the WAN gateways, as one day (after setting up failover) some subnets stopped having internet. I had to change from gateway = * to gateway = WAN for them to get online. I will try the same for OpenVPN
EDIT - SUCCESS :)
I had to change the OpenVPN firewall rules to use the WAN2 gateway:
- 10.0.8.0/24 * * * WAN2_312403 none
Thanks for all the help!
