Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN from WAN (cell phone)

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      i created a CA, a user (for vpn access), and followed the wizard to setup the OpenVPN server and it appears that i entered in the correct prompts.

      i exported the android file from pfsense and emailed it to myself so i can save it to my phone.  on the LAN, the android OpenVPN app connected and used the vpn LAN ip i assigned, 192.168.2.6 (lan is 192.168.1.1).

      when i disconnect from my wifi and attempt to connect from the WAN, the OpenVPN app doesn't connect, it states that it is waiting on the server.

      i did click to add and permit the firewall rules in the last step of the wizard.  is there something obvious that i forgot?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Does your pfSense WAN have a static public IP address? If so, then that should end up in the OpenVPN client config file and work (when doing client export, choosing Host Name Resolution = Interface IP Address
        But otherwise, you have to give the client a way to find your public IP address. Use Dynamic DNS to make a public name (like myvpnserver.mydynamicdnsprovider.com) and then when you do client export, pick that name for Host Name Resolution.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          @phil.davis:

          Does your pfSense WAN have a static public IP address? If so, then that should end up in the OpenVPN client config file and work (when doing client export, choosing Host Name Resolution = Interface IP Address
          But otherwise, you have to give the client a way to find your public IP address. Use Dynamic DNS to make a public name (like myvpnserver.mydynamicdnsprovider.com) and then when you do client export, pick that name for Host Name Resolution.

          yes it has a public IP.  i used the openvpn client export tool and my public IP was part of the file name.  i do have a dynamic name i'd like to use, i didn't see the option for that.  i assume i'd use that for the client on my phone to connect in (so it knows which firewall to connect to, but all it asked for was the config file, which i had on my phone.

          i assume i need to re-create the export file with my dynamic name, but i am not sure where to put that in, i will have to take a look.

          to confirm, yes, for the export it was set to interface IP Address

          thank you.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            i did click to add and permit the firewall rules in the last step of the wizard.  is there something obvious that i forgot?

            Another thought - do you have other Firewall Rules on WAN. If so, then the pass rule for your incoming OpenVPN connections may end up after some other wider block rule, and thus packet filter gets to the block first and never matches the pass. Look at the WAN rules and move the OpenVPN pass rule up to or near the top.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by

              @phil.davis:

              i did click to add and permit the firewall rules in the last step of the wizard.  is there something obvious that i forgot?

              Another thought - do you have other Firewall Rules on WAN. If so, then the pass rule for your incoming OpenVPN connections may end up after some other wider block rule, and thus packet filter gets to the block first and never matches the pass. Look at the WAN rules and move the OpenVPN pass rule up to or near the top.

              a few rules, but nothing that would interfere with openvpn.

              how about the dynamic name.  i need to change it so it isnt using my dynamic IP.  it doesnt change that often, but when it does, it will be an issue.

              thanks.

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                Sign up with a dynamic DNS provider (look in Services->Dynamic DNS, pretend to add one, look in the Service type dropdown for the list of supported ones).
                Choose a hostname that you like from what they offer. e.g. I use DynDNS.com and make names that end in dyndns-ip.com - I pay for DynDNS as I have a number of names to manage. I'm not sure if DynDNS still offers free accounts.
                Add an entry to Services->Dynamic DNS to monitor WAN and set that hostname…
                Then pfSense will keep that hostname up-to-date as your WAN IP changes.
                When you use OpenVPN Client Export, the dynamic DNS hostname will appear in the dropdown list.

                But I suspect you still have some other problem (unless it is just that your client conf now has an old public IP address in it).

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by

                  @phil.davis:

                  Sign up with a dynamic DNS provider (look in Services->Dynamic DNS, pretend to add one, look in the Service type dropdown for the list of supported ones).
                  Choose a hostname that you like from what they offer. e.g. I use DynDNS.com and make names that end in dyndns-ip.com - I pay for DynDNS as I have a number of names to manage. I'm not sure if DynDNS still offers free accounts.
                  Add an entry to Services->Dynamic DNS to monitor WAN and set that hostname…
                  Then pfSense will keep that hostname up-to-date as your WAN IP changes.
                  When you use OpenVPN Client Export, the dynamic DNS hostname will appear in the dropdown list.

                  But I suspect you still have some other problem (unless it is just that your client conf now has an old public IP address in it).

                  i already have a dynamic dns provider.  i have had one for about 15 years now.  i am using it in pfsense and i use it for many other things when i want to remote into my home network when i am not on site.

                  the issue i am having is that the client/profile i exported displays my IP address and i never saw a spot to use/enter my dynamic DNS name.

                  i still think there is another issue, but i am not sure what it could be, as this is the first time i have attempted to setup openVPN.  are there any guides you recommend i follow?  that way i'd be able to see if i missed a step, somewhere.

                  thanks.

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by

                    the issue i am having is that the client/profile i exported displays my IP address and i never saw a spot to use/enter my dynamic DNS name.

                    The dynamic DNS names should be in the "Host Name Resolution" field drop-down list on the Client Export page.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • ?
                      A Former User
                      last edited by

                      @phil.davis:

                      the issue i am having is that the client/profile i exported displays my IP address and i never saw a spot to use/enter my dynamic DNS name.

                      The dynamic DNS names should be in the "Host Name Resolution" field drop-down list on the Client Export page.

                      ohhh, i see them there, i just left it at the default option of 'interface IP address'

                      i switched it to the dynamic dns host name but it still says waiting for server on the phone app.  there must be something in the config it doesnt like or i missed a setting (i did put the new config on my phone).

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.