Routing all traffic through VPN
-
This doesn't sounds like a pfSense issue but I'm not sure if I understand the question correctly.
It sounds like you are having trouble using some app on your iphone to remain connected to your pfSense servers VPN when on certain wifi networks?
If that's the case it is most likely an issue with the app you are using or the way in which it is configured. It sounds like it works in most scenarios, so your pfSense is likely configured correctly. If you are looking for help with your app then you'll need to post more details about the app you are using, how it is configured, etc.
I think that a recommended app for OpenVPN is:
https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8Thank you for the assistance but I don't think you're under standing my issue.
The openvpn app is working correctly but web traffic doesn't appear to be routing through the vpn, only when I'm on my in-law's wifi. Again, for example, when I'm only on my cell data/4g and connect through the iPhone vpn app to my vpn server and go to my internal router's ip address (192.168.x.x), I correctly get the login page for my pfSense instance. But, when connected to my in-law's wifi and I do the same thing while connected through the iPhone vpn app to my vpn server, I get their Comcast modem/router login page.
The behavior at my in-law's is the same as if I wasn't routing web traffic over the vpn even though I am. Make sense?
-
Oh I see, it sounds like you are just picking up their router's page because it is configured the same as your router's IP.
Maybe try setting your router up on a non standard port? So that you type in 192.168.x.x:737(or any other port not commonly used by something else). -
Oh I see, it sounds like you are just picking up their router's page because it is configured the same as your router's IP.
Maybe try setting your router up on a non standard port? So that you type in 192.168.x.x:737(or any other port not commonly used by something else).Indeed. My assumption would be that wouldn't happen but maybe I'm wrong. Is there a way to setup OpenVPN differently or should I really be choosing a non-standard internal range because of this?
-
I don't know if that would happen, it's just the only thing I can think of to try?
System > Advanced > Admin Access > TCP Port
Make sure your firewall rules don't block you on that port.
-
I don't know if that would happen, it's just the only thing I can think of to try?
System > Advanced > Admin Access > TCP Port
Make sure your firewall rules don't block you on that port.
It's not just the router web admin page, it's any internal device's web admin page (they simply time out). I would think if I route all traffic through the VPN, it should be as if I am on my home network. Is that not a correct assumption?
-
Yes it should work (that's how mine works) assuming you have written firewall rules to pass the traffic from your OpenVPN Server to your LAN (or whatever subnet you are trying to access). Which I assume you do since it works on other networks.
Is there anything of interest in your logs during the times you are on the wifi network in question? Either on the server or the client side?
-
Yes it should work (that's how mine works) assuming you have written firewall rules to pass the traffic from your OpenVPN Server to your LAN (or whatever subnet you are trying to access). Which I assume you do since it works on other networks.
Is there anything of interest in your logs during the times you are on the wifi network in question? Either on the server or the client side?
I'll have to check the logs. I used the OpenVPN wizard which is supposed to create the firewall rules automatically. The strange part is that it works on the cell network flawlessly.
-
Well I don't think the wizard will make sure that you can access devices on a different subnet. But yeah if it works on cell then it should work all the time. Unless your in law's wifi (or their ISP) is blocking your VPN providers IP.
-
Well I don't think the wizard will make sure that you can access devices on a different subnet. But yeah if it works on cell then it should work all the time. Unless your in law's wifi (or their ISP) is blocking your VPN providers IP.
There is no VPN provider IP, it's all run internally. So comcast would have to be blocking comcast…
-
ah yeah sorry, I blanked and was thinking VPN client, not you running your own server off pfsense.
-
Haven't had a chance to look at logs yet but any other ideas as to what is going on? I'm stumped.
-
Eh, firewall rules on the wifi network in question? Limitation of a crappy home router with some weird bug that doesn't play well with your VPN? Maybe the router is blocking RFC 1918 traffic?
If your configuration is working everywhere but that one wifi network then I would bet that it's an issue on that network and unless you can troubleshoot it there's probably nothing to be done.
If it's an issue on other networks then hopefully you can find the issue in the logs.
-
Eh, firewall rules on the wifi network in question? Limitation of a crappy home router with some weird bug that doesn't play well with your VPN? Maybe the router is blocking RFC 1918 traffic?
If your configuration is working everywhere but that one wifi network then I would bet that it's an issue on that network and unless you can troubleshoot it there's probably nothing to be done.
If it's an issue on other networks then hopefully you can find the issue in the logs.
I tested at a coffee shop and was successful although their subnet was different. Need to do a bit more testing but it's either the in-laws setup or subnet. I need to figure out which to troubleshoot more.
Thanks again!
-
No worries, I wish I could have been more helpful. Just guessing and really don't know if it applies to this, but does the subnet you are trying to access on your network have the block private network and loopback address box checked at the bottom of the page for the interface?
-
No worries, I wish I could have been more helpful. Just guessing and really don't know if it applies to this, but does the subnet you are trying to access on your network have the block private network and loopback address box checked at the bottom of the page for the interface?
No, neither of those are checked on the LAN interface. They are, however, checked on the WAN interface. Should they be on either/both or none?
-
No that's how it is supposed to be.
-
Maybe try turning on logs for your firewall rules, noting the times that you are having trouble connecting and then come back and check your logs in that period.
It's possible that there's a firewall rule somewhere that has an issue with some of the IPs your trying to connect from? But that would be weird. The only networks that I haven't been able to connect to my server from have been ones run by someone actively blocking most of the internet by whitelisting.
Hopefully someone smarter than myself can come in with some advice.
-
me think…
you get the same 192.168.X net at your inlaws as you have at home...
" in vpn route all traffic" does not mean you dissapear from local LAN ( you still reach LOCAL LAN so you.. "get stuck in there" with your traffic.. you never Leave their LAN to reach yours... because of the use of same NET numbers )my suggestion is that you at YOUR home use a 192.168.X net which is not common as a default net ..
common deafult net in home routers:
192.168.0.0/24
192.168.1.0/24use 192.168.100.0/24 at your home instaed
rgrds Johan