NAT help for VPN tunnel to VPS
-
On our VPS server,
eth0 The public WAN IP
tun0 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255Here is the OpenVPN server's config:
/etc/openvpn$ cat server.conf port 5060 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt duplicate-cn keepalive 10 120 auth none cipher BF-CBC # Blowfish (default) comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log log openvpn.log verb 3 mute 20The part that's confusing me the most is that I'm the only one with issues.
-
So things are a little clearer to me now (I think).
You don't have separate LAN and Tunnel subnets in this case as the VPS is hosting both the Samba shares and the OpenVPN server on the same box.
It's not a setup I've had to configure myself but I would add the OpenVPN tunnel subnet to your pfSense client:
Add 10.8.0.0/24 to the "IPv4 Tunnel Network" config box.
I'm thinking that this will create a "Route command" within pfSense that can be given to the devices on your LAN so they can find your Samba server.
-
Correct, everything is hosted on the same server.
I've added the route (OpenVPN creates the route for 10.8.0.1/32 automatically).
The strange issue that persists is the intermittent ping/availability of the samba share). I can try to ping 10.8.0.1 a few times in a row and sometime it will work and other times it wont. When it does work, I can leave that ping command go for a long time (I stopped it after 10 minutes) and it works the whole time yet if I retry right after stopping a working ping doesn't mean it will work again a few seconds after.
I have this rule under Firewall: Rules, OpenVPN tab AND the first image showing the NAT rule.
Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 * * * * * * none OpenVPN OpenVPN wizardAlso, according the the OpenVPN logs and the Uptime indicated from the OpenVPN Status page, the OpenVPN tunnel is always up even when the ping command or the samba shares are temporarily not working
-
remove the nat
-
Does OpenVPN automatically do the NAT'ing in the background?
Without the NAT rule, the pfsense box can talk to 10.8.0.1 on the VPS server however the server won't know how to reply to all other devices on my192.168.1.0/24 home network.
Please correct me if I'm wrong here but my understanding of the NAT is it allows the 192.168.1.0/24 to go out under whatever 10.8.0.X IP the OpenVPN server give me so the OpenVPN server thinks it's only talking to an 10.8.0.X IP and have no idea how to reach my internal 192.168.1.0/24 network.
-
You mentioned:
I'm the only person having issues, everyone else is using the tomato firmware on their routers
How many people are connecting simultaneously?
Any chance one (or more) of them has a LAN with a 192.168.1.0/24 subnet?
If two or more people connect via OpenVPN with the same external subnets, how does your VPS know which connection to use when routing a response to (for example) "192.168.1.12"?
It may be some work on your side, but can you try and change your LAN subnet to something other than 192.168.1.0/24 (say,192.168.101.0/24)?
Normally OpenVPN setups are pretty simple and reliable, the fact that you're getting intermittent traffic makes me suspicious there's a fundamental conflict going on.
-
We are 4 people connected simultaneously.
I've talked to two other people and we do have the same LAN with a 192.168.1.0/24 subnet.
The VPS doesn't know about any of our LAN networks. When we connect through OpenVPN, we are each assigned a separate 10.8.0.X IP. For example, I currently have 10.8.0.14.
I have been running the same pfsense server for a few years now always just doing upgrades and I've tried out a few configs in the past. I'm starting to wonder if there may be some NATing options that should be checked/unchecked from the Advanced Settings menu option within PfSense. I'm going to setup a few install of PfSense in a VM and compare with my current settings. I'm strongly leaning towards a NAT issue only because any test I do straight from the PfSense box always works but it always has it's own 10.8.0.X IP and not needing any NATing.
-
Does OpenVPN automatically do the NAT'ing in the background?
it does, once you assign an interface to the openvpn instance (interface-type = none)
-
Just to do a quick recap, I'm not trying to access the Internet through the VPN on the VPS server. We have a VPS server running OpenVPN server and I want to have access to that samba shares hosted on that same server.
I've configured as I think heper meant. I don't see any automatically created NAT rules in the GUI though.
My pfsense machine can still ping the VPS at 10.8.0.1 however any of my other machines can't as shown in the picture. I tried to provide as much information as I thought would be usefull
-
Everything is now working, thank you very much divsys and heper for all the pointers.
For those looking for a similar setup, here's what I needed to do.
I needed to assign the OpenVPN client connection sto an interface, ex: OPT1 and set the Interface Type to none
Under Firewall: Rules -> OPT1 tab, add the appropriate. ex: pass all traffic
Under Firewall: NAT -> Outbound tab, select the interface used for the OpenVPN connection (ex: OPT1) and add the destination network (ex: 10.8.0.0/24)
