OpenVPN Server behind PFSense (ping is possible, web access not)
-
Hi phil.davis,
thanks for your response. the button is called "Bypass firewall rules for traffic on the same interface" and can be found on system -> advanced -> network. But unfortunately this is not working.
I just want to summarize what you wrote:
- I have notebook with the local ip: 192.168.7.200. It has also a public ip 91.xx.xx.xx.
- it connects via the public ip of the pfsense 37.148.xx.xx with port 1194.
- pfsense has a port forwarding rule for port 1194 and it passes the request to the ip: 192.168.5.43
- on ip 192.168.5.43 is listening a openvpn server
- the connection is authorized and the vpn-tunnel is created
- the client receives the ip: 10.8.8.9 for the tunnel and receives the route: 192.168.5.0 255.255.255.0
- so the client sends all the requests for e.g. 192.168.5.43 or 192.168.5.1 to the tun0.
- the openvpn server receives the requests on 10.8.8.1 and passes the requests e.g. to 192.168.5.43.
- 192.168.5.43 receives the https request and answers with the content of the webpage.
– now i struggle a little bit.
- shouldn't the answer go to the origin? That means 192.168.5.43 reqlies to 10.8.8.1 and 10.8.8.1 replies to 10.8.8.9?
- of cause 192.168.5.43 receives via DHCP form the PFsense that the default gateway is 192.168.5.1
- by the way the route on the openvpn server as soon as there is a connection is:
Ziel Router Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.5.1 0.0.0.0 UG 0 0 0 eth0 10.8.8.0 10.8.8.2 255.255.255.0 UG 0 0 0 tun0 10.8.8.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
– I tried the following:
- I created a gateway in the pfsense with name: openvpnbehindpfsense interface: LAN gateway: 192.168.5.43
- and I created a rule on the lan that destination 10.8.8.0/24 has to use this gateway.
IPv4 TCP/UDP * * 10.8.8.0/24 * openvpnbehindpfsense none
but this does not solve the problem.
-- I have another point:
- we have in our office two WANs. One with a static IP that is used for the openvpn access and one with a dynamic ip. Could that be the problem? that the relies are send to the second wan and not the first one?
Thanks for your help.
Best regards
Christoph -
Perhaps you need to bypass policy routing for the VPN traffic.
https://doc.pfsense.org/index.php/What_is_policy_routing
https://doc.pfsense.org/index.php/Bypassing_Policy_Routing
-
- I created a gateway in the pfsense with name: openvpnbehindpfsense interface: LAN gateway: 192.168.5.43
- and I created a rule on the lan that destination 10.8.8.0/24 has to use this gateway.
IPv4 TCP/UDP * * 10.8.8.0/24 * openvpnbehindpfsense none
but this does not solve the problem.
No. That rule on LAN won't do it.
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
You want to delete that and go to System > Routing and create a route for 10.8.8.0/24 to gateway openvpnbehindpfsense.
-
I see now. A diagram would have made it instantly obvious. :P
The way you have it designed you either need to have a route in all your clients on 192.168.5.0/24 that tells them to reach 10.8.8.0/24 via 192.168.5.43 - probably not practical.
Or you have to hairpin traffic into pfSense (the 192.168.5.0/24 default gateway) and back out the same interface - which is unsound design. As you're finding out, problems happen.
A better way would be to put the Linux OpenVPN server on another subnet/pfSense interface. Then all the routing would be done by one router and you wouldn't be stuck trying to make an unsound design work.
-
Hi Derelict,
thanks for your answer. I think you already told how to achieve the goal but I don't know how. Can you help me in more detail?
-
I made a diagram of my setup. You find it at: https://www.ionas.com/external/openvpn_behind_pfsense.png
-
I think an own interface for the openvpn behind the pfsense is the best way. So I tried to assign a new interface. I created a vlan 666 because vr0 (that is my lan) can not be choosen. Is that correct that I have to use a vlan?
I took: static ipv4 and the ipv4 address is 10.8.8.1
the ipv4 upstream gateway is my previously created gateway 10.8.8.1 -
I created a firewall rule for the new interface. It allowes everything and as gateway I took the gateway 10.8.8.1
Is that correct? Can you tell me how you would do it?
Best regards
Christoph -
-
Hi everybody,
I tried again last night to put the openvpn connection to a server in the lan to an own interface. I didn't reached my goal.
Can anybody tell me how to do it?My main problem is to decide with "network port" I have to select on the page "assign Interfaces". Do I have to choose the vr0 (which is my lan) or do I have to create a VLAN?
Thanks in advance for any hint.Best regards
Christoph -
Hi everybody,
I am still struggling with a openvpn server behind pfsense. Can anybody give me a hint what to do?
Derelict writes that it would be best to assign an own interface to the server. I tried to do this but what network port do I have to use for this new interface? I have no more real lan port and a virtual one has to be assigned to vr0 = lan or vr2 = dsl line or something virtual…I am looking forward to your help.
Best regards
Christoph -
Running a vpn server inside the network is at best a problematic setup. Why not just run openvpn on pfsense itself?
You run into routing problems when vpn tunnel endpoint is just some IP in the lan network. As mentioned already you either need routes on all your hosts that your vpn clients would want to talk, and or you would have to hairpin a connection off pfsense which the the gateway for your lan machines off that network.
what is your reasoning for running vpn server behind pfsense and not on pfsense? Your really just making something that is clickity clickity to get up an running into a configuration mess.
-
I use OpenVPN on pfSense for all my remote connections. Works like a charm and easy to configure.
-
Running a vpn server inside the network is at best a problematic setup.
OpenVPN servers behind firewalls can work with a port forwarding and a static route so there is no rocket science involved.
One scenario (that requires OpenVPN server(s) BEHIND pfSense) is when there are multiple OpenVPN servers behind the firewall/pfSense. E.g. for penetration/version or testing and/or high availability.
It would really help me (and Christoph) if there is some pfSense configuration/setting available who supports this configuration.
Thanks, regards,
Beau