OpenVPN where to get started? Severely frustrated here
-
Guys
All I have managed to find is the "All things VPN" topic linked from one of the stickies here. But this:
Consult the OpenVPN chapter in the pfSense book rather than relying on this entirely.
is not very helpful when there is no link and searching on those keywoirds brings up nothing of any substance.
I worked through the 'documentation', using the Wizard to create an OpenVPN server and then created a user and exported a client; installed the client; trying to connect results in timeouts.
Little wonder, the client appears to be attempting to connect to 192.168.4.1, which is not an address I configured anywhere in the server or client or user. In fact there isn't anywhere at all (in the instructions I followed) that I can configure the address that the client should be trying to connect to. So if that is missing, what else too?
I'm lost, and all the discussion on this forum seems to be about things that are so far elevated above the topic that I have no idea what they are talking about. I'm not stupid, I've been using (PPtP) VPNs for years, but the way pfSense goes about inplementing OpenVPN looks scanty at best. And the documentation doesn't really help, mostly just duplicating the 'explanation' on the pfSense setup pages. Surprising, and disappointing, considering everything else in pfSense that I have worked with is over-explained and so clear.
Who can help!!! Please… :'(
-
"Little wonder, the client appears to be attempting to connect to 192.168.4.1"
And is that the IP address of your pfsense lan/wan? Or other opt interface - when use the export client it lets you pick what should go in the client config. What did you select for the host name resolution via the drop down list?
-
If you're having trouble getting started with OpenVPN, I'd suggest a simple diagram of what you've got and what you expect to accomplish with your network.
What's your LAN look like, single or multiple NICS, what IP subnet(s) are you using?
How many users are going to try and connect?
Are they PC's, MAC's, iOS phones, Android, all of the above?
What are they connecting to, servers, file sharing, custom apps?
How is your pfSense box connected to the internet, bridged or dual nat?OpenVPN might look daunting at first, but it's not that difficult in the end.
Many of us use it regularly to solve a vast array of connectivity and security problems.You probably have a reasonable picture in your head about all the pieces in your network.
Putting it on paper lets the rest of us understand where you're coming from and gives us a chance to help. -
^ agreed picture is a worth 1000 words, sometimes a million of them…
My guess would be your behind a double nat and 192.168.4.1 is your wan interface, or you setup openvpn on your lan interface and that is its IP?
Openvpn in pfsense is really clickity clickity you run through the wizard, export your config - connect it really is that easy.. But you have to understand the basic concepts of what your IP is, and how that IP is presented to the client be it actual IP or fqdn, and how that fqdn might be resolved by the client.
-
OK I answered my own question.
In the client GUI, you have an option to edit your configuration. I found that 192.168 address and changed it to the correct public IP of the site. Turns out that address it automatically placed in there is the WAN interface of the pfSense box, which naturally connects to the LAN of the microwave router. One configurable that should be offered in the OpenVPN Server setup but isn't.
And… said router had to have port forwarding set up. Obvious, isn't it. But these are both basic steps that should be mentioned in the documentation. Just sayin'.
-
I got the book and it is out of date but it is still tremendously helpful if you have any misconceptions about the firewall.
I didn't know I didn't know in the case of what source meant in the firewall rules for example. LOL!
In openvpn, I had the best luck making the interface localhost. This requires port forwarding though.
In another implementation I had the best luck with using the WAN as the interface. In this case it doesn't need port forwarding.Very confusing, I know but that's what has worked for me.
-
" But these are both basic steps that should be mentioned in the documentation. Just sayin'."
Yeah those are VERY basic concept steps.. Does the instructions for your TV remote state plug in your TV first? Make sure you paid your electric bill, and that you have either cable tv, sat tv or get a picture over the air. Or that your dvr is on, etc. etc..
Yes if your behind a NAT you would have to make sure the traffic you want pfsense to do something with like vpn, port forward, etc. actually gets to Pfsense - same would go with its IP address on the wan interface vpn is listening on.. You have to assume that its public, if its not that the user is smart enough to understand that is not going to work..
I guess the problem here is when you assume the user of pfsense is not a complete idiot you might be expecting too much ;) heheheh
Don't take that the wrong way!!! Just an expression, but can not write the documents to the lowest denominator or we would be using crayons and pictures vs words to try and explain it for some of the people trying to use pfsense ;)
-
We all start out complete idiots. I'm still an idiot - Not sure if I graduated from complete idiot to plain idiot yet or not.
Ideally you would have pfsense set up as main router with a public IP on its WAN.
Ideally you should have at least one LAN.
Ideally you will assign pfsense LAN an IP that is NOT 192.168.1.1 - try 192.168.23.1… Thats a nice random number.
Try something like 192.168.25.0/24 for the openvpn subnet (just a random number I pulled out of my....)Now, you SHOULD be testing your openvpn client from a totally different network - like from your buddy's house or where ever. Maybe from the silly neighbors wifi that is wide open?
If you are, definitely you will open a port on the WAN for openvpn. (I said open, not port forward/NAT)
-
Ideally you will assign pfsense LAN an IP that is NOT 192.168.1.1 - try 192.168.23.1… Thats a nice random number.
Try something like 192.168.25.0/24 for the openvpn subnet (just a random number I pulled out of my....)^ I try not to rant on this too much (except now ;) ) but personally I find 192.168.0.x/192.168.1.x appearing way too often (and from people who should know better).
On the topic of choosing Tunnel IP's, I further like to keep them totally different from the LAN ranges, so I might use 172.16.xx or 10.x.x.x for tunnels when I use 192.168.232.0/24 for LAN'Nuff soapboxing ::)
-
Baby steps.