Specific VLAN over OpenVPN
-
I am trying to set up my pfsense such that all traffic from a particular vlan is routed out over OpenVPN. Following tutorials on these forums and elsewhere I believe I have things configured such that it should be working however I am unable to access the internet from that VLAN. Does anyone have any ideas for how I can troubleshoot where the problem is? I don't now if I should be focusing on the rules or the vpn configuration.
Below is my relevant configuration:
STATUS|OPENVPN shows a status of up with a virtual ip address
Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Rcvd PIA VPN UDP up Wed Oct 7 23:33:40 2015 10.107.1.6 108.61.27.139 7.07 MB 1.07 MB
STATUS| GATEWAYS shows the vpn gateway is down
PIAVPN_VPNV4 10.107.1.5 10.107.1.5 0ms 100% Offline Last check: Thu, 08 Oct 2015 14:20:09 -0400
I have created the following rules under FIREWALL|NAT|Outbound
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description PIAVPN 127.0.0.0/8 * * * PIAVPN address * NO PIAVPN 10.10.80.0/24 * * 500 PIAVPN address * YES PIAVPN 10.10.80.0/24 * * * PIAVPN address * NO
I have the following rule in VLAN80 which is the VLAN which should be going out over the VPN
ID Proto Source Port Destination Port Gateway Queue Schedule Description IPv4 * * * * * PIAVPN_VPNV4 none
For further reference below aremy OpenVPN logs after restarting the service.
Oct 8 14:37:44 openvpn[6743]: port_share_port = 0 Oct 8 14:37:44 openvpn[6743]: client = ENABLED Oct 8 14:37:44 openvpn[6743]: pull = ENABLED Oct 8 14:37:44 openvpn[6743]: auth_user_pass_file = '/etc/openvpn-password.txt' Oct 8 14:37:44 openvpn[6743]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015 Oct 8 14:37:44 openvpn[6743]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09 Oct 8 14:37:44 openvpn[6918]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock Oct 8 14:37:44 openvpn[6918]: WARNING: file '/etc/openvpn-password.txt' is group or others accessible Oct 8 14:37:44 openvpn[6918]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 8 14:37:44 openvpn[6918]: LZO compression initialized Oct 8 14:37:44 openvpn[6918]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ] Oct 8 14:37:44 openvpn[6918]: Socket Buffers: R=[42080->65536] S=[57344->65536] Oct 8 14:37:44 openvpn[6918]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ] Oct 8 14:37:44 openvpn[6918]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Oct 8 14:37:44 openvpn[6918]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Oct 8 14:37:44 openvpn[6918]: Local Options hash (VER=V4): '41690919' Oct 8 14:37:44 openvpn[6918]: Expected Remote Options hash (VER=V4): '530fdded' Oct 8 14:37:44 openvpn[6918]: UDPv4 link local (bound): [AF_INET]74.108.30.118 Oct 8 14:37:44 openvpn[6918]: UDPv4 link remote: [AF_INET]108.61.57.220:1194 Oct 8 14:37:44 openvpn[6918]: TLS: Initial packet from [AF_INET]108.61.57.220:1194, sid=9c337db2 84e34e97 Oct 8 14:37:44 openvpn[6918]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Oct 8 14:37:44 openvpn[6918]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com Oct 8 14:37:44 openvpn[6918]: Validating certificate key usage Oct 8 14:37:44 openvpn[6918]: ++ Certificate has key usage 00a0, expects 00a0 Oct 8 14:37:44 openvpn[6918]: VERIFY KU OK Oct 8 14:37:44 openvpn[6918]: Validating certificate extended key usage Oct 8 14:37:44 openvpn[6918]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Oct 8 14:37:44 openvpn[6918]: VERIFY EKU OK Oct 8 14:37:44 openvpn[6918]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com Oct 8 14:37:45 openvpn[6918]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 8 14:37:45 openvpn[6918]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 8 14:37:45 openvpn[6918]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 8 14:37:45 openvpn[6918]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 8 14:37:45 openvpn[6918]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Oct 8 14:37:45 openvpn[6918]: [Private Internet Access] Peer Connection Initiated with [AF_INET]108.61.57.220:1194 Oct 8 14:37:47 openvpn[6918]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1) Oct 8 14:37:47 openvpn[6918]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.113.1.1,topology net30,ifconfig 10.113.1.10 10.113.1.9' Oct 8 14:37:47 openvpn[6918]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Oct 8 14:37:47 openvpn[6918]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Oct 8 14:37:47 openvpn[6918]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Oct 8 14:37:47 openvpn[6918]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) Oct 8 14:37:47 openvpn[6918]: OPTIONS IMPORT: timers and/or timeouts modified Oct 8 14:37:47 openvpn[6918]: OPTIONS IMPORT: LZO parms modified Oct 8 14:37:47 openvpn[6918]: OPTIONS IMPORT: --ifconfig/up options modified Oct 8 14:37:47 openvpn[6918]: TUN/TAP device ovpnc2 exists previously, keep at program end Oct 8 14:37:47 openvpn[6918]: TUN/TAP device /dev/tun2 opened Oct 8 14:37:47 openvpn[6918]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Oct 8 14:37:47 openvpn[6918]: /sbin/ifconfig ovpnc2 10.113.1.10 10.113.1.9 mtu 1500 netmask 255.255.255.255 up Oct 8 14:37:47 openvpn[6918]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1542 10.113.1.10 10.113.1.9 init Oct 8 14:37:47 openvpn[6918]: Initialization Sequence Completed
-
Kind of confusing having the OpenVPN interface the same name as the OpenVPN interface group. What's really the deal?
Hmm. The interface group is selectable in the outbound NAT config. As far as I know you cannot use the OpenVPN "interface" which is really an interface group as I understand it, for NAT. You have to create an assigned interface and NAT on that.
-
That is actually a mistake which I had caught prior to sending the post and it should actually look like this
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
PIAVPN 127.0.0.0/8 * * * PIAVPN address * NO
PIAVPN 10.10.80.0/24 * * 500 PIAVPN address * YES
PIAVPN 10.10.80.0/24 * * * PIAVPN address * NOI will correct above as well.
-
What's not working? Define "Can't access the internet." Can you ping 8.8.8.8? Resolve names?
-
There was no internet connectivty on devices on VLAN 80. After numerous restarts of the service and the router it just started working with no changes to config. Thanks anyway.
-
There was no internet connectivty on devices on VLAN 80. After numerous restarts of the service and the router it just started working with no changes to config. Thanks anyway.
You might try out to set up for the entire VLAN80 the OpenVPN Gateway as their Gateway or on the clients inside
of the VLAN80 you might set up their the OpenVPN Gateway as their Gateway.