Lan access to OpenVPN
-
It used to work when I just used OpenVPN on a windows box before I started using PFSense.
I used it to have my devices always connected to my VPN (i.e. no traffic is allowed except over VPN), so I don't have t remember connecting every time I go outdoors.
-
@Pim:
Then I come at home, connect to my local network, the same network the openvpn is running on, and it won't connect anymore.
First, you need to clarify what "it" means here.
For what it's worth, I have this working. I'm posting this from home while connected to my home VPN. I use the Mac client Viscosity and I have selected the "send all traffic over the VPN" client checked. In pfSense under Diagnostics:States I see my connection to forum.pfsense.org to/from my VPN IP as in the attached screenshot.
You haven't told us much about your config, but I'm using TCP/TUN. That could be the difference. Here's my config as shown in the openvpn section of /conf/config.xml.
<openvpn><openvpn-server><vpnid>1</vpnid> <mode>server_tls_user</mode> <authmode>Local Database</authmode> <protocol>TCP</protocol> <dev_mode>tun</dev_mode> <ipaddr><interface>any</interface> <local_port>443</local_port> <custom_options><tls>Iw0KIyA...............................................Q0K</tls> <caref>50c.......036</caref> <crlref><certref>516.........8d2</certref> <dh_length>1024</dh_length> <cert_depth>1</cert_depth> <strictusercn><crypto>bla-bla-bla</crypto> <engine>none</engine> <tunnel_network>10.39.0.224/28</tunnel_network> <remote_network><gwredir><local_network>10.39.6.0/24</local_network> <maxclients>10</maxclients> <compression><passtos><client2client>yes</client2client> <dynamic_ip>yes</dynamic_ip> <pool_enable>yes</pool_enable> <dns_domain>thirtynineohsix</dns_domain> <dns_server1>10.39.0.225</dns_server1> <dns_server2>10.39.6.254</dns_server2> <dns_server3><dns_server4><ntp_server1>10.39.6.254</ntp_server1> <ntp_server2><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></ntp_server2></dns_server4></dns_server3></passtos></compression></gwredir></remote_network></strictusercn></crlref></custom_options></ipaddr></openvpn-server></openvpn>Don't listen to the haters. Yes, this is a dumb configuration network-wise, but the whole job of machines and systems around you allow you to focus on what really matters.
 -
Its not going to work well with TUN on UDP more than likely because NAT reflection in UDP doesn't work on pfsense reliably.
jg3 is using TCP - He should get decent mileage ;)(My advice - Use UDP for Openvpn on one port - Run TCP on another port - like 80 if you don't have a server on 80. Prefer UDP.)
-
jg3 is using TCP - He should get decent mileage ;)
TCP: It's the 4-wheel-drive of network protocols. It's for knowing you can get there and get back out, and screw the gas mileage. ;D
-
UDP is just plain better 90% of the time for VPN, especially at a distance where things get really really laggy on TCP.
I use TCP only when I must when some overly controlling net-nanny blocks everything except TCP 80.
As long as I have 2 cores, I don't mind running two instances of VPN server on pfsense. -
Well switching to TCP did the job and everything works perfectly now. I don't really care about a bit "laggy" might that happen in the future somewhere. I mostly use the devices to receive email and then security overrules a bit lag.
Thanks again :)
-
I'm glad that helps. Its definitely a NAT mirror issue.
If you ever do find yourself needing that to work well far from home, set up UDP also on a separate port.
Good to see a plan come together anyway ;) -
I'm glad that helps. Its definitely a NAT mirror issue.
If you ever do find yourself needing that to work well far from home, set up UDP also on a separate port.
Good to see a plan come together anyway ;)Is this a problem with my ISP, with my router, pfsense firewall settings or openvpn config itself?
-
Well - Its no longer a problem since you switched to TCP right?
But the NAT mirroring issue on UDP is a pfsense thing.
I have no need for VPNing into my network from inside my network, but if I had that strange desire, I'd use TCP inside the LAN and UDP outside the LAN.
-
Well - Its no longer a problem since you switched to TCP right?
But the NAT mirroring issue on UDP is a pfsense thing.
I have no need for VPNing into my network from inside my network, but if I had that strange desire, I'd use TCP inside the LAN and UDP outside the LAN.
Well if UDP is better and there is a solution to solve this issues while keeping UDP I would like to solve it.
-
Do you need to use the VPN from inside your own network or are you just doing this to test it?
-
Do you need to use the VPN from inside your own network or are you just doing this to test it?
The goal is/was to be able to have my devices always connected to OpenVPN so I can't forget to activate it once I arrive somewhere. (and it's just easier to not have to activate openvpn 5 times a day)
-
Leave it on TCP unless you travel far far away - hundreds of miles or more.
After that, switch over to UDP.
Pretty much all devices will allow multiple configurations and are easily selectable via GUI in the clients.
So, just run 2 instances of openvpn on your server.
This is good idea for anyone really - Just to guarantee access with multiple accessible ports/protocols.