OpenVPN Server behind PFSense (ping is possible, web access not)

christophdb

Hi everybody,

I am totally frustrated. I want to use a OpenVPN Server behind the PFSense and I think there is only one missing action that it works, but I can not solve the problem. I hope you can show me the missing piece in the puzzle.

My Setup:

• mobile clients (e.g. Ubuntu Notebook or IPhone) –> Internet --> PFSense --> Ubuntu (VPN-Server) AND Local Network

• local Network is 192.168.0.5

• on the PFSense I also use the OpenVPN Server and it is working perfectly. But I also want to use the VPN-Server behind the PFSense

• OpenVPN from PFSense 10.8.0.0 - access via port 33334

• OpenVPN from ubuntu Server 10.8.8.0 - access via port 1194

Here are the settings:
client.ovpn (from the ubuntu client)

client
dev tun
proto udp
remote 37.148.xx.xx (anonymized)
port 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
comp-lzo

inline ca...
inline key...
inline cert...

server.conf - from the ubuntu openvpn server

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/ionas-server.crt
key /etc/openvpn/easy-rsa/keys/ionas-server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.8.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 4
client-to-client
push "route 192.168.5.0 255.255.255.0"
log-append /var/log/openvpn
comp-lzo
keepalive 10 120
client-config-dir /media/disk/openvpn/user-configs
ccd-exclusive

on the PFsense I did the following:

1. I created a port forwarding from port 1194 to the lan-address of the openvpn-server: 192.168.5.43
2. automatically there was a rule created in the WAN-Interface
   IPv4 TCP/UDP * * 192.168.5.43 1194 (OpenVPN) * none   NAT allow wlan

The situation now:
I can connect via openvpn to the openvpn server behind the pfsense. The output is

Sat Aug  1 10:56:38 2015 ROUTE_GATEWAY 192.168.7.1/255.255.255.0 IFACE=wlan0 HWADDR=00:24:d7:9f:99:bc
Sat Aug  1 10:56:38 2015 TUN/TAP device tun0 opened
Sat Aug  1 10:56:38 2015 TUN/TAP TX queue length set to 100
Sat Aug  1 10:56:38 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Aug  1 10:56:38 2015 /sbin/ip link set dev tun0 up mtu 1500
Sat Aug  1 10:56:38 2015 /sbin/ip addr add dev tun0 local 10.8.8.10 peer 10.8.8.9
Sat Aug  1 10:56:38 2015 /sbin/ip route add 192.168.5.0/24 via 10.8.8.9
Sat Aug  1 10:56:38 2015 /sbin/ip route add 10.8.8.0/24 via 10.8.8.9
Sat Aug  1 10:56:38 2015 Initialization Sequence Completed

a route -n shows me on the client

0.0.0.0         192.168.7.1     0.0.0.0         UG    0      0        0 wlan0
10.8.8.0        10.8.8.9        255.255.255.0   UG    0      0        0 tun0
10.8.8.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.5.0     10.8.8.9        255.255.255.0   UG    0      0        0 tun0
192.168.7.0     0.0.0.0         255.255.255.0   U     9      0        0 wlan0

Hint: 192.168.7.1 is the network at home. 192.168.5.0 is the local network I want to connect to.

Strange is that I can ping all devices in the network:

• ping 192.168.5.1, ping 192.168.5.43, ping 192.168.5.10 all are possible.
• but as soon as I want to access e.g. the webserver from 192.168.5.43 there is a network timeout.
• I can not find anything in the logs of the firewall.

Now my question is what can I do?

• I have the felling, that the packages does not find their way back. So do I have to define a gateway? Is 192.168.5.43 the gateway or the wan interface?
• is there a missing firewall rule?
• do I need a static rule?
• is the setting in advanced -> network -> bypass interface .. relevant?

Thanks for your help.
Best regards
Christoph

phil.davis

ocal Network is 192.168.0.5

I guess you really mean 192.168.5.0/24

Devices in 192.168.5.0/24 probably have their default gateway set to pfSense LAN IP (192.168.5.1 ?)
In that case when they try to reply to the client on OpenVPN Ubuntu they will send the reply packet to pfSense LAN IP. pfSense will not have a state for it and so will drop it. You will have asymmetric routing. There is an advanced button that helps with that (can't remember the name off the top of my head) out of state stuff. But youwould also need to add a route on pfSense thatsays 10.8.8.0/24 is reached by going to 192.168.5.43

Or on each of the devices you wish to reach from the 10.8.8.0/24 tunnel, add a route to the device so it knows to use 192.168.5.43 for traffic to 10.8.8.0/24

christophdb

Hi phil.davis,

thanks for your response. the button is called "Bypass firewall rules for traffic on the same interface" and can be found on system -> advanced -> network. But unfortunately this is not working.

I just want to summarize what you wrote:

• I have notebook with the local ip: 192.168.7.200. It has also a public ip 91.xx.xx.xx.
• it connects via the public ip of the pfsense 37.148.xx.xx with port 1194.
• pfsense has a port forwarding rule for port 1194 and it passes the request to the ip: 192.168.5.43
• on ip 192.168.5.43 is listening a openvpn server
• the connection is authorized and the vpn-tunnel is created
• the client receives the ip: 10.8.8.9 for the tunnel and receives the route: 192.168.5.0 255.255.255.0
• so the client sends all the requests for e.g. 192.168.5.43 or 192.168.5.1 to the tun0.
• the openvpn server receives the requests on 10.8.8.1 and passes the requests e.g. to 192.168.5.43.
• 192.168.5.43 receives the https request and answers with the content of the webpage.

– now i struggle a little bit.

• shouldn't the answer go to the origin? That means 192.168.5.43 reqlies to 10.8.8.1 and 10.8.8.1 replies to 10.8.8.9?
• of cause 192.168.5.43 receives via DHCP form the PFsense that the default gateway is 192.168.5.1
• by the way the route on the openvpn server as soon as there is a connection is:

Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0
10.8.8.0        10.8.8.2        255.255.255.0   UG    0      0        0 tun0
10.8.8.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

– I tried the following:

• I created a gateway in the pfsense with name: openvpnbehindpfsense interface: LAN gateway: 192.168.5.43
• and I created a rule on the lan that destination 10.8.8.0/24 has to use this gateway.
  IPv4 TCP/UDP * * 10.8.8.0/24 * openvpnbehindpfsense none 
  but this does not solve the problem.

-- I have another point:

• we have in our office two WANs. One with a static IP that is used for the openvpn access and one with a dynamic ip. Could that be the problem? that the relies are send to the second wan and not the first one?

Thanks for your help.
Best regards
Christoph

Derelict

Perhaps you need to bypass policy routing for the VPN traffic.

https://doc.pfsense.org/index.php/What_is_policy_routing

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Derelict

• I created a gateway in the pfsense with name: openvpnbehindpfsense      interface: LAN      gateway: 192.168.5.43
• and I created a rule on the lan that destination 10.8.8.0/24 has to use this gateway.
  IPv4 TCP/UDP    *    *    10.8.8.0/24    *    openvpnbehindpfsense    none
  but this does not solve the problem.

No.  That rule on LAN won't do it.

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

You want to delete that and go to System > Routing and create a route for 10.8.8.0/24 to gateway openvpnbehindpfsense.

Derelict

I see now.  A diagram would have made it instantly obvious.  :P

The way you have it designed you either need to have a route in all your clients on 192.168.5.0/24 that tells them to reach 10.8.8.0/24 via 192.168.5.43 - probably not practical.

Or you have to hairpin traffic into pfSense (the 192.168.5.0/24 default gateway) and back out the same interface - which is unsound design. As you're finding out, problems happen.

A better way would be to put the Linux OpenVPN server on another subnet/pfSense interface. Then all the routing would be done by one router and you wouldn't be stuck trying to make an unsound design work.

christophdb

Hi Derelict,

thanks for your answer. I think you already told how to achieve the goal but I don't know how. Can you help me in more detail?

1. I made a diagram of my setup. You find it at: https://www.ionas.com/external/openvpn_behind_pfsense.png

2. I think an own interface for the openvpn behind the pfsense is the best way. So I tried to assign a new interface. I created a vlan 666 because vr0 (that is my lan) can not be choosen. Is that correct that I have to use a vlan?
   I took: static ipv4 and the ipv4 address is 10.8.8.1
   the ipv4 upstream gateway is my previously created gateway 10.8.8.1

3. I created a firewall rule for the new interface. It allowes everything and as gateway I took the gateway 10.8.8.1

Is that correct? Can you tell me how you would do it?

Best regards
Christoph

christophdb

Hi everybody,

I tried again last night to put the openvpn connection to a server in the lan to an own interface. I didn't reached my goal.
Can anybody tell me how to do it?

My main problem is to decide with "network port" I have to select on the page "assign Interfaces". Do I have to choose the vr0 (which is my lan) or do I have to create a VLAN?
Thanks in advance for any hint.

Best regards
Christoph

christophdb

Hi everybody,

I am still struggling with a openvpn server behind pfsense. Can anybody give me a hint what to do?
Derelict writes that it would be best to assign an own interface to the server. I tried to do this but what network port do I have to use for this new interface? I have no more real lan port and a virtual one has to be assigned to vr0 = lan or vr2 = dsl line or something virtual…

I am looking forward to your help.
Best regards
Christoph

johnpoz

Running a vpn server inside the network is at best a problematic setup.  Why not just run openvpn on pfsense itself?

You run into routing problems when vpn tunnel endpoint is just some IP in the lan network.  As mentioned already you either need routes on all your hosts that your vpn clients would want to talk, and or you would have to hairpin a connection off pfsense which the the gateway for your lan machines off that network.

what is your reasoning for running vpn server behind pfsense and not on pfsense?  Your really just making something that is clickity clickity to get up an running into a configuration mess.

KOM

I use OpenVPN on pfSense for all my remote connections.  Works like a charm and easy to configure.

beaukey

Running a vpn server inside the network is at best a problematic setup.

OpenVPN servers behind firewalls can work with a port forwarding and a static route so there is no rocket science involved.

One scenario (that requires OpenVPN server(s) BEHIND pfSense) is when there are multiple OpenVPN servers behind the firewall/pfSense. E.g. for penetration/version or testing and/or high availability.

It would really help me (and Christoph) if there is some pfSense configuration/setting available who supports this configuration.

Thanks, regards,

Beau