Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to get (strong)VPN thrue fire wall ? (I will pay for remote help (100 $))

    Scheduled Pinned Locked Moved Firewalling
    21 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      Transcend
      last edited by

      I have read several post about this topic.

      http://www.ibvpn.com/billing/knowledgebase/63/OpenVPN-setup-on-pfSense-firewall.html

      https://forum.pfsense.org/index.php?topic=29944.0

      https://forum.pfsense.org/index.php?topic=76015.0

      http://www.reddit.com/r/PFSENSE/comments/1zqiwr/how_do_i_route_some_traffic_through_a_vpn/

      http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/

      Step 10:

      navigate to the system dropdown menus Status –-> System Logs, and click on the OpenVPN tab.
      if the last thing you see in this log is "Initialization Sequence Completed" you are connected to StrongVPN; but, you are not done yet, as none of your traffic is traversing this line.

      This i achieve. I am able to set up the VPN connection. The VPN connection gets an ip adress. But i am not able to get any traffic thrue it.

      I need some help. Or perhaps there is a new tutorial i have not yet found. Thx in advance.

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        The last reference of yours http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/ has some reasonable stuff from its step 10.
        "go to Interface –> Assign and hit the “+” sign and you’ll add a new interface (probably called OPT1 with a pull down box next to it. Select the OpenVPN connection." - that makes an interface that heads down the OpenVPN link.
        Step 11, rename the interface for convenience.
        Step 12 - changing to Manual Outbound NAT - should not be required, the system should automatically generate the outbound NAT rules for an interface like this (I think there was an old bug in the Automatic NAT rule generation, but that is fixed in current releases, e.g. 2.1.5)
        Step 13 - edit the rule on LAN (or make new rule/s on LAN) specifying traffic to match and push down the OpenVPN link - good stuf

        Now go to the the WAN Tab and create the same rule. (Weird,while it doesn’t make sense, if this rule is missing, it didn’t work for me.)

        Don't do that - no need for opening up random stuff on WAN!
        Step 14 and 15 - putting pass all rules on StrongVPN and OpenVPN tabs - again you should not need this if all your connections are outbound from LAN devices. The stateful firewall will allow the reply packets back in already. It would only be if you are port-forwarding in to a web server or something like that that you need to open some specific things there.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • T Offline
          Transcend
          last edited by

          Thx you very much your reply. I will let you know how it works out.

          1 Reply Last reply Reply Quote 0
          • T Offline
            Transcend
            last edited by

            If i read your pointers correctly i only have to add the fire wall rule in the lan section and add the interface.

            I did this in the main screen i get my vpn interface with a green arrow and a ip adress. But i have have no more internet acces.

            My rule looks exactly like this

            http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/

            Is there any thing i should have done extra or have not read correctly in your post ? Thx for your effort.

            1 Reply Last reply Reply Quote 0
            • P Offline
              phil.davis
              last edited by

              Maybe you do need something in Manual Outbound NAT - turn that on and see if it shows some rules for the OpenVPN interface.
              From your loss of internet, it sounds like LAN packets are going somewhere other than WAN (hopefully down OpenVPN tunnel!).
              One reason they would get no reply is if NAT was not happening on the way out (the public server/s you are accessing would receive connects with a source IP being still your private LAN IP, so they cannot deliver the reply back).

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • T Offline
                Transcend
                last edited by

                I see no rules for the openVPN. Could you tell me what rules i should apply or copy from tutorial ?

                1 Reply Last reply Reply Quote 0
                • P Offline
                  phil.davis
                  last edited by

                  You should not need rules on OpenVPN. Your connections are originating on LAN, once they start from LAN, the state will allow reply packets to pass back in on OpenVPN.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    Transcend
                    last edited by

                    These are my settings it is not yet working out. Does any one see what is wrong with them ?

                    natrules.PNG
                    natrules.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • C Offline
                      charliem
                      last edited by

                      Can you post a screenshot of your LAN firewall rules and StrongVPN rules?

                      @phil.davis:

                      You should not need rules on OpenVPN. Your connections are originating on LAN, once they start from LAN, the state will allow reply packets to pass back in on OpenVPN.

                      I found that I did need to add a pass rule for traffic arriving on the strongvpn interface (well, PIA vpn, in my case).  While your explanation about why it shouldn't be need sounds reasonable, I assumed it was related to UDP being stateless.  Remember what Yogi said about theory and practice ….

                      1 Reply Last reply Reply Quote 0
                      • T Offline
                        Transcend
                        last edited by

                        Thx for your reply i will post info in a few hours.

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          Transcend
                          last edited by

                          I hope this enough info to take the problem. Thx in advance.

                          LAN.PNG
                          LAN.PNG_thumb
                          ![NAT Outbound.PNG](/public/imported_attachments/1/NAT Outbound.PNG)
                          ![NAT Outbound.PNG_thumb](/public/imported_attachments/1/NAT Outbound.PNG_thumb)
                          StrongVPNint.PNG
                          StrongVPNint.PNG_thumb

                          1 Reply Last reply Reply Quote 0
                          • C Offline
                            charliem
                            last edited by

                            You need to move your last LAN rule up to the top.  Rules are matched from the top down, and the first rule that matches is the only one carried out (see the 'hint' at the bottom of the page).  So right now your "Default LAN to any" rule is seen first and packets go out by the default GW from the routing table; nothing gets down to your strongvpn rule to be sent out by the strongvpn gateway.

                            Note if you only want some of your LAN clients to pass through the VPN, you can make an alias such as 'strongVPN_clients', and enter their IPs.  Then use that alias for the source in your vpn pass rule.

                            Capture.PNG
                            Capture.PNG_thumb

                            1 Reply Last reply Reply Quote 0
                            • T Offline
                              Transcend
                              last edited by

                              Thx i am most definitely going to follow your advice. I will let you know how it works out.

                              1 Reply Last reply Reply Quote 0
                              • T Offline
                                Transcend
                                last edited by

                                Even if i put the lan rule first i can not connect to web pages. All connection are up and have an ip adress.

                                1 Reply Last reply Reply Quote 0
                                • C Offline
                                  charliem
                                  last edited by

                                  Sorry, no idea.  Is there nothing suspicious in the logs?

                                  1 Reply Last reply Reply Quote 0
                                  • T Offline
                                    Transcend
                                    last edited by

                                    There probably is. But my knowledge is limited….

                                    1 Reply Last reply Reply Quote 0
                                    • T Offline
                                      Transcend
                                      last edited by

                                      Perhaps there is some one who wants to take a look at it remote, message me. Ofcourse i will pay you for effort. Somebody with skills should be able to make this work in 20 min or so.

                                      I will pay you via payal, bitcoin what ever you want. I really want to have this problem solved.

                                      1 Reply Last reply Reply Quote 0
                                      • M Offline
                                        muswellhillbilly
                                        last edited by

                                        This is probably an obvious question, but have you set the routing between your two LANs correctly? Your VPN connection could be up but if your hosts at either end don't know which way to route traffic to one another then you won't be able to communicate between the two points.

                                        As a test, try pinging a host at one end of the VPN tunnel from a host at the other end. If they don't ping, try adding a route to each host to point back to each others' networks. For instance, if you have a network at site A with address range 192.168.1.0/24 and a network at site B with address range 10.10.1.0/24, with your pfsense firewalls at either end having addresses 192.168.1.1 and 10.10.1.1 respectively, you'll need to type something like 'route add -net 10.10.1.0/24 gw 192.168.1.1 metric 1' at the host in the 192.168.1.0 network, and 'route add -net 192.168.1.0/24 gw 10.10.1.1 metric 1' at the host in the 10.10.1.0 network.

                                        Re-run the ping test if it failed the first time and see if that solves the issue.

                                        1 Reply Last reply Reply Quote 0
                                        • T Offline
                                          Transcend
                                          last edited by

                                          I am just a client trying to connect to StrongVPN. I am not connecting 2 lan's.

                                          Sorry if i understand you completely wrong.

                                          1 Reply Last reply Reply Quote 0
                                          • M Offline
                                            muswellhillbilly
                                            last edited by

                                            Apologies - I should have read the previous posts more closely.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.