OpenVPN SSL/TSL + User Auth work from WAN subnet but not from internet
-
Hello everybody!
I just installed a pfsense 2.0.2 RELEASE.
I'm trying to activate the openvpn access for roadwarriors as explained in this tutorial:
http://blog.stefcho.eu/?p=492
The pfsense is in the network 10.35.239.0/24 (WAN) behind a cisco router that nat/forward port 1194 TCP towards pfsense.
I installed a PC with the autogenerated openvpn client package (it installs openvpn client with all the necessary configuration).
If I connect with a client in the same network 10.35.239.0/24 where the pfsense is all is fine.
If I then connect to the openvpn/pfsense from internet the connection doesn't work. It just time out.
I see in the firewall log that traffic from my internet address to the pfsense WAN address on port 1194 is passed (so it looks like the cisco router is forwarding the traffic ok), but openvpn log shows nothing like it never receive any connection from my client through the internet.
Is there anyone that could shed some light on this? Or point me out to a good tutorial to accomplish to have user authentication with pfsense+openvpn?
-
If it is useful my client connection config is:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote 10.35.239.132 1194 tcp
tls-remote Collab-server
auth-user-pass
pkcs12 it-vsrv-vpnfirewall-143-TCP-1194-client.p12
tls-auth it-vsrv-vpnfirewall-143-TCP-1194-client-tls.key 1
comp-lzo -
remote 10.35.239.132 1194 tcp
From the internet you can never reach that address. The client needs to have the public IP of the Cisco router that port forwards to pfSense - either the actual static IP or a name (mycompany.com) that translates to the IP.
-
Hello!
You are petfectly right.
I forgot to mention that I posted the config that works when the cluent is in the same network of the pfsense WAN.I have a public IP placed in place of the 10.35.239.132 one when I try to get connected from the internet.
I see in the firewall log that the connection is forwarded to pfsense but I see nothing in the openvpn log.
Also if I telnet port 1194 from the internet the connection seems to not being established albeit I see it logged in the pfsense's firewall log.
-
The pfSense WAN where the server is listening for forwarded connects from the Cisco, has to have a firewall rule allowing incoming from anywhere to WAN address port 1194. (protocol TCP in your case - but unless there is a reason you need to use TCP, it is normally better to use UDP for VPN)
-
Hello!
Thanks for the reply.
I have a rule in the firewall and I see in the firewall log on pfsense that the rule is matched and has a green "pass" icon.
I see a strange thing though, the line in the log says:WAN 82.84.200.xxx:1167 10.35.239.132:1194 TCP:S
So only Syn flag received. That's really strange… it is the only log I see anytime I try a connection and no log at all in the openVPN specific log.
-
Hello!
I think I found out the problem.
It was in the configuration of the default router (which is the same CISCO old 2600 router).
If in the gateway defination is left active the monitoring flag the connections cannot go past TCP:S.
If the monitoring is disabled and the gateway considered always on all seems fine.I could not test with an actual openVPN client right now, but even just telnetting the port from the internet gives a stable connection and I see proper logging on the pfsense for openVPN interaction.
Thanks for the help to Phil.
I'll properly mark this forum entry once I can do some testing with an openVPN client.
-
I can confirm the problem is fixed.
The connection was successfully tested with remote clients with windows 7 and 8 and openVPN gui version 2.3