Connect to OpenVPN Access Server?
-
Big thanks! man, big big thanks!
sorry for bothering you so much, and thank you a lot!
-
Ok here you go.. So make you assign your vpnclient to an interface - don't give it an IP, then create a gateway using that interface (do not set it default). You can disable the _v6 interface it creates.
Make sure you have a nat to this interface in your outbound nats to your network range.
Then create a rule that says hey your source IP or IPs when NOT going to your local networks.. That is what the ! is in the rule and I use an alias that has my local networks in it and tell it to use the gateway.. Now when that source IP or IPs is going to anything other than your local networks that rule will trigger and send that traffic down your vpn client tunnel. See attached images - so my normal workstation has my normal 24. IP on public - but when I use a vm that is 192.168.9.230 it goes down the tunnel.
Make sure you devices you want to go down the tunnel use the dns you want to use and you should be set. Also you might want to make sure you don't get any routes from the vpn client connection, see my above post showing my client config - see how I have checked block routes checked.. You don't want pfsense getting routes you may not want.. you just want to send the traffic down the tunnel based on your policy. Quite often openvpnas is set to default route.. So pfsense could get a default route pointing down the tunnel, etc..
-
Big thanks!
I am having issues figuring out how to set getway for firewall rule on specific IP
I go to:
https://192.168.1.1/firewall_rules.php?if=lanit looks like:
when i go to edit it, it looks like:
i think i am on correct page?
sorry for bothering you so much with this.
thanks
-
Yeah that looks like firewall rule page.. And you need to move this rule above the default rules.. Where are all your advanced settings?? You set the gateway in the advanced section
-
i am completely dumb. :o
I "think" i did everything as you said, and i rebooted pfSense right now.
The output was, every single device was receiving OpenVPN's IP :-\
Here is the full setup:
Interface setup:
Firewall Outbound:
Firewall Rules:
What am i missing?
Thanks
-
No idea what you expect to happen with ! any as a destination.
Some VPN providers push a default gateway. You have to check don't pull routes in the client config to have policy routing control on the client side.
-
well !* is not valid.. You need t create a alias for your local networks, or at min use ! lan net.. So where were your advanced settings in the previous post.. Seems you have gateway set now. And you prob don't want that rule only tcp… How are you going to do dns for example which is udp through that link?
Did you block getting routes from from the vpn client.. It can over write you default route and send everything through that tunnel..
-
Yes, i did set that option.
Alias:
Firewall now:
Advanced:
-
Yeah that looks fine, did you tell your vpn client setting not to pull the routes like I posted twice now and derelict even mentioned ;)
And you still only have tcp, do you not want icmp or udp to go down the tunnel.. Most the time that rule for sending traffic down a tunnel will be any vs just tcp.
-
sorry, only 2 hours sleep tired / sleepy :)
yes i did, in OpenVPN Client, it looks exactly the same as yours in the screenshot:
What about this (Interface), anything should be done here, or leave as it is ? (unchecked)
Also, figured out to change firewall to * instead of TCP only.
All looks fine now?
Big thanks for help :)
-
Dude change it to ANY… so you can use any protocol over the tunnel not just tcp.. More than likely if your wanting to use something like netflix your going to want to make sure its dns used through the tunnel as well..
So is it working now?
-
sorry, while you were typing this post, i was editing above post :/
-
So is it working now?
yes, its working, 2 devices are now going over openvpn, thanks to you.
not sure how to check dns thing, but, when i played a movie on netflix, i monitored the traffic on vps and it was definitely going over openvpn.
[root@my ~]# vnstat -l
Monitoring eth0… (press CTRL-C to stop)rx: 1.53 Mbit/s 138 p/s tx: 1.66 Mbit/s 217 p/s^C
eth0 / traffic statistics
rx | tx
--------------------------------------+------------------
bytes 496.06 MiB | 531.18 MiB
--------------------------------------+------------------
max 49.60 Mbit/s | 53.08 Mbit/s -
When you get a chance, if you please can tell me if i need this checked or leave it unchecked:
I promise after this, i will stop bothering you :-X
I appreciate your help.
-
What is your client using for dns?? The one you want to go over the vpn, you said you set a static on it.. Smart TVs and such and with apps like netflix, etc. could be hard coded to use say googledns.. If so you would want that going down the tunnel because you would want it doing a dns query from the location of the vpn exit point.
Just change your rule on your policy route to be ANY vs tcp for the protocol and your good any traffic that is from that IP that is not too your lan would go down the tunnel. Only issue would be if the client was using your local dns.. So you might want to change it to use some public dns that goes down the tunnel or you could get geo returned IPs that could cause problems.. Lets say for example your in the the EU, and your vpn exit point is in the US.. If your using your local dns, you could get told to go to site in EU based upon where you source dns query came from.. So now your traffic goes down the tunnel to US just to go back to some IP in the EU.
As to blocking rfc1918 and bogon - no on your vpn interface there would be no need or want to block those.. So leave them unchecked is fine.
-
In my pfSense i have Static DHCP enabled (my MAC) for all devices i have @ Home.
Each device gets a static IP.Devices / PC's , etc are set to AUTO for IP's / DNS.
pfSense is set to use Google DNS.
8.8.8.8
8.8.4.4VPS with OpenVPN on it is also set to Google DNS:
[root@my ~]# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4so, i believe this looks good?
What i don't understand is, on one of the PC's that is connected to my kid's TV (which is also used for Netflix) , when i do tracert to any IP, it the output / path is not going over openvpn's network, its going through my ISPs.
When i go to "whats my IP on google / and check multiple websites " it shows / reports IP of the openvpn.I used to have OpenVPN's client installed on that Windows, and tracert's output / path was going over the OpenVPN.
Why is this?(And still, Netflix, downloads, etc, go through openvpn's network, as i am still monitoring the eth0 with vnstat)
Thanks
-
Actually, nevermind about that tracert part, after i changed to ANY from TCP, its going over OpenVPN's network :o
-
Also, i am like 99% sure Netflix is showing US stuff
If i go to : http://api-global.netflix.com/apps/applefuji/config
And look for <geolocation></geolocation>it shows US for me;
<geolocation>US</geolocation>
There is still that 1%, but, not sure if there is any other way to check :)
-
I just checked logs in pfSense for OpenVPN, and noticed this:
Nov 10 12:21:51 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)Also, when i SSH to VPS, it doesn't show my WAN IP any more, but, Local IP from OpenVPN;
root pts/0 172.27.232.2 12:24 0.00s 0.00s 0.00s w
When i do tracert to IP of VPS, it outputs like this:
1 <1 ms <1 ms <1 ms pfSense.home.network [192.168.1.1]
2 26 ms 25 ms 25 ms 168.** (Full IP of VPS)Also, i am unable to connect to TeamSpeak 3 server hosted on the same VPS.
This is done from my PC, and for this PC there are no rules (firewall) in pfSense.
Googling my IP shows my WAN (ISP's) IP.
Probably i messed up something else?:)
Thanks
-
your buffers error prob could be a routing issue.. See this pfsense forum
https://forum.pfsense.org/index.php?topic=40405.msg208614#msg208614
https://airvpn.org/topic/11486-error-in-openvpn-logs-on-pfsense/
If you want me to help you really need to show the FULL logs, not just the piece that you think matters.. There is most likely something else in the log that will point to why the error happens.. Like for example with your compression setting in the previous posting..
If your pulling the routes from the vpn client connection its going to cause problems if it hands pfsense a default route down the tunnel, etc..
