Cannot go on Internet from my remote location over vpn connection

viragomann

Do you've checked "Redirect gateway" in the OpenVPN server settings?

You also need an NAT rule for the VPN subnet. Firewall > NAT > Outbound
If you've used the wizard for setup it will have done this automatically.

czar666

Thanks for the reply viragomann.
Yes, "Redirect gateway" is checked.
And indeed I used the wizard. So I have the automatically created NAT rules.
But still no browsing from my client from a remote location. Neither from my mobile btw (I also installed a client on my phone).
Http traffic is not returned. Any other idea?
I am reading that pfSense book. I just started to read the OpenVPN part and it's saying that OpenVPN interfaces may be assigned under 'Interfaces'. Assigning an OpenVPN interface will let me create interface-specific rules. I am diving into that now. I'll post it if I had any success with this.

kejianshi

Possibly there is no "allow" rulel on the openvpn interface in the firewall?

czar666

I have this automatically created rule for OpenVPN.
Seems to be what you are referring to I think.

viragomann

Assigning an interface to the vpn server or client on pfSense is only needed if you run multiple vpn instances.

Please post the routing table of the client when connection is established.

czar666

Ok thanks for the elaboration. I wont assign an interface to my vpn server then, as I don't run multiple vpn instances.
Here is a screenshot from my clients ipconfig and routing table.

viragomann

I can't see any cause for that issue.

Are you able to access the DNS? Try an internet host with its IP for testing, e.g. http://206.190.36.45

If that isn't the problem I'd suggest to go to troubleshooting. Take a packet capture (Diagnostic > Packet capture) from the OpenVPN and the WAN interface while you try to access a Web host, limited to source or dest IP or port.

czar666

I went to http://206.190.36.45 without success (see screenshot). It is saying 'Yahoo' in the tab of IE though. But the page stays empty.
After that I went to the Packet Capture feature. I started a capture first from the OpenVPN and then the WAN interface with a filter on the Ip address you just suggested to go to (206.190.36.45). As we now know it is not dns I just refreshed the IE page and went to the site via ip address.
I don't really see a problem in the Wireshark output. But I am not a pro so I probably oversee things.
Probably not enough, but I added screenshots of Wireshark output.

kejianshi

About time to post alll of your firewall rules.

czar666

Here are all my rules. For the moment all have been created automatically.
We may not have found the solution yet but thanks both of you for the replies and suggestions.

viragomann

So the pfsense(8^).PNG is taken form WAN with hidden WAN address and pfsense(9).PNG is from OpenVPN, I assume.
Everything there is looking all right. You get response from the webserver to the client on the OpenVPN interface, but IE doesn't load the page. So your pfSense firewall rules will be okay.

Strange behaviour. Can you test that with another browser or try a ping from the client?

czar666

STOP searching for the answer. I don't know why yet but with my mobile it works now.
When I go on Internet with my Android phone after I connected with the OpenVPN app, I can go to https://www.whatismyip.com/ and see the public IP of my pfSense box. So I guess it's ok and that something on my corporate laptop is blocking. I am not on the corporate network though. I have a connection to a modem to bypass the firewall and to do tests for work. So no firewall on my remote location. My proxy settings in my browser are also set to "automatically detect". I didn't forget that one. But still I can't see the webpages I request.
So now I am deep ashamed for all the time you two spent in reading my reactions and viewing my screenshots. Sorry…

kejianshi

Corporate laptop?

Do you have admin rights to that laptop or is your account a user account and not admin privileges?

czar666

Update:
It works also on my corporate laptop now.
First, Kejianshi, to answer your question: I have more rights than 'normal' users, but I am not full admin. Certain things like disabling anti-virus is not possible. But that was not the problem.

Solution:
My home router (the pfSense) his local IP is 192.168.1.1. Classic. But the local IP of the modem I used on my remote location was also 192.168.1.1. The last one I changed to 192.168.0.1. And now when connected through OpenVPN I can open my webbrowser, go on whatismyip and see the public IP adress from home.

So when I had the problem I assume that when I opened my webbrowser and tried to go on Internet the traffic got confused somewhere when coming back to my laptop at the remote location.

kejianshi

Yep - Very common affliction.  Its a good idea to go with the 192.168.x.x - for both the Xs pick a random number between 2 and 254 or so.

The reason I asked about admin rights its because its always a good idea to right click the install icon for openvpn and run as admin - and then always run the program as admin after from then on.  Saves lots of grief.

Anyway - Sounds like you already have it worked out.  Enjoy.