PfSense as OpenVPN client - no traffic through tunnel
-
I have no idea what I have done wrong here…
I have configured an OpenVPN tunnel that I have confirmed is up and running.
From the pfSense box I can ping the remote internal LAN interface on the router:
From a client on the internal LAN on my side I can't get traffic across:
I am quite certain I have the gateway set up properly:
And I have an interface configured:
The status page for the OpenVPN tunnel shows it as up (not sure what is going on with those latency times !):
Routing table on the pfSense box looks correct to me:
I have set a firewall rule for this interface (not sure if that was needed):
NAT has been left set to auto.
You can see here in a packet capture that the ICMP request goes from the tunnel endpoint address (10.22.22.6) to the remote router (192.168.12.1) and the ICMP reply comes back but I never see it on a local LAN subnet machine (on the 192.168.10.0/24 network).
Can anyone please help me get this sorted ?
-
First lets clarify your intentions. What are you trying to do? Site-to-Site tunnel? Connect to a VPN service and use it as your WAN?
-
First lets clarify your intentions. What are you trying to do? Site-to-Site tunnel? Connect to a VPN service and use it as your WAN?
Sorry - I should have explained that.
I am trying to get a site to site tunnel up. On this end I am on a 192.168.10.0/24 subnet and the remote side (OpenVPN server side) is a 192.168.12.0/24 subnet. I am using the pfSense box as the OpenVPN client.
My remote end server conf file:
daemon server 10.22.22.0 255.255.255.0 proto udp port 23012 dev tun22 cipher AES-256-CBC keepalive 15 60 verb 3 tls-auth static.key 0 ca ca.crt dh dh.pem cert server.crt key server.key status-version 2 status status # Custom Configuration route 192.168.10.0 255.255.255.0The OpenVPN client config:
dev ovpnc2 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_client2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xxx.243.xxx.86 tls-client client lport 0 management /var/etc/openvpn/client2.sock unix remote xxxxxx.dyndns.org 23012 ifconfig 10.22.22.2 10.22.22.1 route 192.168.12.0 255.255.255.0 ca /var/etc/openvpn/client2.ca cert /var/etc/openvpn/client2.cert key /var/etc/openvpn/client2.key tls-auth /var/etc/openvpn/client2.tls-auth 1 resolv-retry infinite -
First lets clarify your intentions. What are you trying to do? Site-to-Site tunnel? Connect to a VPN service and use it as your WAN?
Sorry - I should have explained that.
I am trying to get a site to site tunnel up. On this end I am on a 192.168.10.0/24 subnet and the remote side (OpenVPN server side) is a 192.168.12.0/24 subnet. I am using the pfSense box as the OpenVPN client.
My remote end server conf file:
daemon server 10.22.22.0 255.255.255.0 proto udp port 23012 dev tun22 cipher AES-256-CBC keepalive 15 60 verb 3 tls-auth static.key 0 ca ca.crt dh dh.pem cert server.crt key server.key status-version 2 status status # Custom Configuration route 192.168.10.0 255.255.255.0The OpenVPN client config:
dev ovpnc2 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_client2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xxx.243.xxx.86 tls-client client lport 0 management /var/etc/openvpn/client2.sock unix remote xxxxxx.dyndns.org 23012 ifconfig 10.22.22.2 10.22.22.1 route 192.168.12.0 255.255.255.0 ca /var/etc/openvpn/client2.ca cert /var/etc/openvpn/client2.cert key /var/etc/openvpn/client2.key tls-auth /var/etc/openvpn/client2.tls-auth 1 resolv-retry infiniteAs I said earlier - the VPN is up. I can ping the remote router (192.168.12.1) from the pfsense box, just not from a client on the 192.168.10.0/24 network.
-
From what I can see, the server end does not reply to packets from the client LAN (192.168.10*). Does the server end have firewall rules to allow incoming packets from 192.168.10.*?
-
From what I can see, the server end does not reply to packets from the client LAN (192.168.10*). Does the server end have firewall rules to allow incoming packets from 192.168.10.*?
Yes it does. I can use the exact same certs and config on a software client (Viscosity on OSX) and it works fine.
-
-
Set NAT to manual; saved; applied changes
-
Set a F/W rule to route ALL traffic via gateway; pings came alive and I confirmed by going to whatismyip.com I was routing all traffic via remote VPN router.
-
Removed the above rule and pings keep going and confirmed I was no longer sending all traffic via remote VPN router by going back to whatismyip.com and could see my local IP
-
-
-
Set NAT to manual; saved; applied changes
-
Set a F/W rule to route ALL traffic via gateway; pings came alive and I confirmed by going to whatismyip.com I was routing all traffic via remote VPN router.
-
Removed the above rule and pings keep going and confirmed I was no longer sending all traffic via remote VPN router by going back to whatismyip.com and could see my local IP
Furthermore, I have set firewall rules on the 'OpenVPN' tab, the 'xxxxVPN' tab (the interface I created) and the 'LAN' tab in the firewall rules section to block traffic and I can still freely push traffic across the VPN tunnel.
How do you apply F/W rules to VPN traffic ?
-
-
The rules on OpenVPN and the OpenVPN interface you created apply to new traffic flows arriving in at those interfaces (i.e. new traffic originating from the other end of the VPN link). When you start a ping from your end, it gets going based on rules on LAN that allow the first packet, then the ping/echo reply will get paired up with the original ping and be allowed back through the firewall regardless of rule on OpenVPN tab/s.
The OpenVPN interface you created is not normally needed for what you are doing. A normal site-to-site link that routes between some private subnets will work fine by;
a) putting the appropriate subnets in the Local Network and Remote Network fields of the OpenVPN GUI. This makes the routes happen.
b) Add firewall rules on the general OpenVPN tab (and equivalent at the other end) to allow the traffic you want to come in on the OpenVPN.
c) Add firewall rules on LAN to allow traffic from LAN subnet to the remote subnet (probably there is already a rule to allow all, which does the job)
There should be no need to add policy-routing rules.Perhaps try to simplify things - remove the OpenVPN interface you made, and the policy-routing rules, and just have an "ordinary" site-to-site link.
-
Just out of curiosity, what kind of device is on the server-side?