Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn server not starting (road warrior configuration)

    Scheduled Pinned Locked Moved OpenVPN
    23 Posts 4 Posters 9.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      doktornotor Banned
      last edited by

      @jayw:

      I'm struggling with this.  Are you saying " turn off the nat & routing functions in the ZyXel?"

      Yes, definitely.

      1 Reply Last reply Reply Quote 0
      • J Offline
        jayw
        last edited by

        @doktornotor:

        @jayw:

        I'm struggling with this.  Are you saying " turn off the nat & routing functions in the ZyXel?"

        Yes, definitely.

        Would I need to  make changes in the firewall and/or NAT on 192.168.0.135 ?

        -j

        1 Reply Last reply Reply Quote 0
        • P Offline
          phil.davis
          last edited by

          I was just having a laugh, because there don't seem to be any realistic hardware options that have native ADSL interfaces (a board with a telephone line jack) and run pfSense - if such things were easily available we would all be able to sleep easy not messing about with some front-end modem device that may or may not do NAT itself, port forward, route, may or may not go into bridge mode…

          But yes, if the ZyXel can go into bridge mode and just pass through the real external public IP, then life is so much easier at the pfSense end. It can make the connection to the ISP directly itself and can see and deal with all traffic directly.

          I have no idea about ZyXel and bridge mode, so make sure you have some confidence that you could put settings back the way they are, before you change stuff and your internet access is completely screwed!

          Another thing I did recently on some TP-Link and Digicom ADSL devices was to not do specific port forwarding in to the pfSense WAN. They had a place to put a "DMZ IP". I put the pfSense WAN IP in there. It forwarded all traffic from the ADSL public IP to the pfSense WAN IP - like doing 1:1 NAT, plus ICMP and everything. Then I could open whatever ports I needed, and also block and log bad things at pfSense if I want to know who is port-scanning me from where...

          Maybe the ZyXel has a similar option to forward everything, and it might work.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • P Offline
            phil.davis
            last edited by

            Would I need to  make changes in the firewall and/or NAT on 192.168.0.135 ?

            If you get the ZyXel into bridge mode, then pfSense WAN will end up with the real public IP. But mostly your firewall rules that open up incoming things refer to destination WAN Address, so pfSense does the right thing underneath to make pf rules for whatever "WAN Address" currently is.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • D Offline
              doktornotor Banned
              last edited by

              @phil.davis:

              But yes, if the ZyXel can go into bridge mode and just pass through the real external public IP, then life is so much easier at the pfSense end. It can make the connection to the ISP directly itself and can see and deal with all traffic directly.

              I have no idea about ZyXel and bridge mode, so make sure you have some confidence that you could put settings back the way they are, before you change stuff and your internet access is completely screwed!

              Definitely possible - I've done this with multiple Zyxel xDSL "modems" usually supplied by the ISPs here.

              1 Reply Last reply Reply Quote 0
              • J Offline
                jayw
                last edited by

                Kids are back in school and this project finally made it back on my list of things to do.

                I figured out how to put the zyxel into transparent bridge mode - http://www.youtube.com/watch?v=eu1YDchv8uc

                Currently the zyxel is configured with a static IP.  If I put the zyxel into bridge mode, what changes do I need to  make on the pfsense WAN port?

                ZyXel Config:
                Modem IPv4 Address:  104.1.54.174
                Modem IPv4 Subnet Mask: 255.255.255.128
                DNS Address #1: 67.232.255.222
                DNS Address #2:  67.232.255.218
                Remote Gateway Address: 104.1.54.129 
                

                ?

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kejianshi
                  last edited by

                  WARNING: potential conflict between –local address [192.168.0.135] and –ifconfig address pair [192.168.0.1, 192.168.0.2] – this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn)

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jayw
                    last edited by

                    What should I do to address that?
                    @kejianshi:

                    WARNING: potential conflict between –local address [192.168.0.135] and –ifconfig address pair [192.168.0.1, 192.168.0.2] – this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn)

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kejianshi
                      last edited by

                      You should move your network ip for the server and the openvpn subnet to something fairly random and unique.  Pick something like 10.94.113.1

                      like 10.x.x.1 for LAN ip and 10.x.x.0/24 for openvpn subnet.

                      Substitute numbers between 10 and 250 for the Xs.

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        jayw
                        last edited by

                        That makes sense.  Will make the changes this week.  Do you think that's what is preventing the OpenVPN client from accessing the server?  @kejianshi:

                        You should move your network ip for the server and the openvpn subnet to something fairly random and unique.  Pick something like 10.94.113.1

                        like 10.x.x.1 for LAN ip and 10.x.x.0/24 for openvpn subnet.

                        Substitute numbers between 10 and 250 for the Xs.

                        1 Reply Last reply Reply Quote 0
                        • K Offline
                          kejianshi
                          last edited by

                          Not sure.  Openvpn is actually really really simple to set up and make work, so if its not working, usually its a simple mistake.  The sort of thing that makes you do a giant self-face-palm when you figure it out.
                          So yeah - If its not that, its something else that simple.
                          But, we have all been there at one time or another ;D

                          1 Reply Last reply Reply Quote 0
                          • K Offline
                            kejianshi
                            last edited by

                            Can you do me a favor.  Can you go to your main screen that shows your WAN and LAN ip and status.  Post that here.  please.

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              doktornotor Banned
                              last edited by

                              @jayw:

                              Currently the zyxel is configured with a static IP.  If I put the zyxel into bridge mode, what changes do I need to  make on the pfsense WAN port?

                              You put what's on Zyxel to WAN configuration on pfsense and assign some LAN IP to the Zyxel box.

                              1 Reply Last reply Reply Quote 0
                              • J Offline
                                jayw
                                last edited by

                                If I put the IP config on the pfsense wan interface and turn the zyxel into a transparent bridge, how will I access the zyxel?  @doktornotor:

                                @jayw:

                                Currently the zyxel is configured with a static IP.  If I put the zyxel into bridge mode, what changes do I need to  make on the pfsense WAN port?

                                You put what's on Zyxel to WAN configuration on pfsense and assign some LAN IP to the Zyxel box.

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  doktornotor Banned
                                  last edited by

                                  @jayw:

                                  If I put the IP config on the pfsense wan interface and turn the zyxel into a transparent bridge, how will I access the zyxel?

                                  http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall - or connect it directly to a PC temporarily… Since there's nothing to configure once done, cannot see how's this exactly an issue.

                                  1 Reply Last reply Reply Quote 0
                                  • J Offline
                                    jayw
                                    last edited by

                                    Thanks for the advice!

                                    I have to wait until after hours to make changes but hopefully will get to it tonight.

                                    -j

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.