Internet Access issue using OpenVPN and Multi-wan
-
1. Stay away from LAN segments that are in use by typical home routers… e.g. 192.168.1.x, 192.168.2.x, 192.168.3.x. If the client tries to connect from a LAN that is already on one of those subnets it will break your routing.
2. You are pushing 192.168.0.0/16 through the tunnel, that is way too wide when I assume your LAN is made up of 192.168.1.0/24 and 192.168.2.0/24. Keep it simple, i.e. if you're going to stay with your current LAN addressing, add 192.168.1.0/24 to the "Local Network" section and add push "route 192.168.2.0 255.255.255.0" to the Advanced configuration section
3. Your tunnel network is 192.168.3.0/24, which means there's no way you have a DNS server on 192.168.3.1. In your VPN config, in the Client Settings section under DNS servers, if you're using the "Provide a DNS server list to clients" option, this needs to be the same IP your LAN clients are using for DNS. Also, as currently configured, you need to change your tunnel network anyway. Keep everything away from the ranges of typical home routers.
4. You won't see "redirect-gateway" in the client logs… that option adds a new default gateway behind the scenes which pushes all traffic through the tunnel.
-
I made the change to make the local network more specific and manually push the 192.168.2.x network out. Unfortunately that didn't resolve the issue. Same as before. Can connect into all the local networks fine. Can't hit the internet at all once connected.
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xxx.xxx.197.63 tls-server server 192.168.3.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 443 management /var/etc/openvpn/server1.sock unix max-clients 50 push "route 192.168.1.0 255.255.255.0" push "dhcp-option DOMAIN pinkbunnyslippers.com" push "dhcp-option DNS 192.168.1.1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "dhcp-option NTP 192.168.1.1" push "dhcp-option WINS 192.168.1.1" push "redirect-gateway def1" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo persist-remote-ip float push "route 192.168.2.0 255.255.255.0" -
At this point, it's most likely either a firewall or DNS issue.
1. Make sure you're testing from an outside network where the LAN is not 192.168.1.x, 192.168.2.x or 192.168.3.x.
2. What are the firewall rules on the OpenVPN tab?
3. While connected, ping known IP's like 8.8.8.8, 8.8.4.4, 208.67.222.222, 208.67.220.220, etc and see if you get a response.
4. Do nslookups on google.com, yahoo.com, msn.com, etc and make sure your DNS is resolving.
-
I agree, at this point I think it's a FW rules or NAT issue. DNS is resolving fine. But I am having no luck getting to any IP's.
This is my OpenVPN interface rule. Basically any any. It was automatically added by the wizard.
-
-
-
-
-
- none OpenVPN OpenVPN Remote Access wizard
-
-
-
-
My biggest concern is it's a NAT issue. I've switched over to AON and I've added a rule on the same wan interface (WAN_HOME) that the OpenVPN is setup on to NAT the 192.168.3.0/24. But it's not working or I've set it up wrong. Should I ask this in the NAT forum?
-
-
Stop using Automatic outbound NAT for a couple of seconds.
Try creating Manual Outbound NAT Entries.Also, when you pull up the Manual Outbound NAT and set it up, try posting screenshot of your firewall rules, outbound NAT rules and Openvpn server setup page. Makes it easier to see whats going on.
It has to be something simple, because what you are doing is simple. Some tiny little setting.
-
I'm using AON (Advanced Outbound NAT) not automatic outbound NAT. The naming is way to close and confusing. Anyway, it's the manual one.
Here are the NAT settings (attached)
-
When you say you can't browse the web once connected, I'm assuming you mean from the distant end connected via vpn?
Can you browse the web on a computer connected locally to the pfsense/openvpn server box? -
Ok, so I managed to get it fixed. It looks like for some reason WAN_OFFICE got set as the default gateway. I thought WAN_HOME was set as the default. I only had the NAT for the 192.168.3.x (VPN Address Pool) set on the WAN_HOME interface. I had configured OpenVPN to run on the WAN_HOME interface so I figured that was the only place I needed to set the NAT. And I thought WAN_HOME was the default gateway.
So I configured the NAT on both the WAN_HOME interface and WAN_OFFICE. Now it works fine!
Thanks for all the help everyone!
Joshua
-
Does anyone know why I can't change the topic of the original post any longer? I wanted to mark it as solved. I was able to on another thread that was shorter and more recent. Is there some type of cut-off in terms of replies or time in which you can no longer change the original topic subject line?
-
There is a limit of a couple of days for editing posts. So you can only do what you have already done - add an entry indicating the problem is solved.