I cant use openVPN behind my pfsense fw, but behind other fw's.

chpalmer

Do you have access to the pfsense box at "work"?  Are you the IT guy for your business?

Does that box have a public IP address on its WAN interface?  Is it behind another router/firewall device?

fableman

yes I setup both of them, at my home and at work.

Yes public IP on both fw's.

Internet–--pfsense---switch----client

client got full access from interface to internet.

viragomann

Do you use equal client config files at work and at the other place where it's working?

Recheck if the settings are the same, especially the setting for port and protocol and all auth-settings. If you use TLS authentication recheck that the TLS-key file behind "tls_auth" is followed by " 1".

If you use UDP protocol check if your outgoing rule is allowing this.

fableman

I use the same laptop with the same client.

The rule I have is any protocol to any on the pfsense fw at work. (I can do everything)

But it's like it's ignoring all my UDP traffic .

I captured the traffic on the pfsense at work, nothing show up at with a destination to my home IP address.

This is all very strange.

Guest

Potential workaround: Let the pfSense do the tunnel for you?

fableman

I dont what a permanent tunnel into my home from work :)

chpalmer

@fableman:

I captured the traffic on the pfsense at work, nothing show up at with a destination to my home IP address.

That makes me think that the guilty party is the laptop.  Maybe a statically set gateway in the VPN client program?

fableman

No static gateway, laptop work nice with anything not just behind the pfsense with openvpn.

openvpn works behind anything else i tested, and I have lots of things to test with..

Its like pfsense blocking the the vpn traffic without showing it.

Guest

Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :)

mikeisfly

Also are you using DNS? Maybe that is the guilty party, especially if you aren't seeing anything on the other side.

fableman

@chemlud:

Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :)

You got me on the right track,, thanks.

No I dont have snort on the fw….but...

I hade a D-link switched called DGS-1210-16 with a Security option enabled.

The switch itself can protect from:

Land Attack
Blat Attack
TCP Null Scan
TCP Xmascan
TCP SYNFIN
TCP SYN Src Port Less 1024
Ping Death Attack
TCP Tiny Frag Attack

And the problem was the Blat Attack rule, if I disabled it on the Switch then the OpenVPN connection worked perfect.

Thanks to all that tried to help.