Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible to Run OpenVPN Server and a PIA OpenVPN Client at same time?

    Scheduled Pinned Locked Moved OpenVPN
    16 Posts 7 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      steve28
      last edited by

      I run this same setup as well, I have two openvpn servers running (one on UDP 1194 and one on TCP 443) and an openvpn client connection to PIA.

      Check the logs in Status / System Logs / OpenVPN to see if there's anything there to help you.

      Also, I assume you assigned interfaces to each and have NAT setup?

      1 Reply Last reply Reply Quote 0
      • M Offline
        Murrayd222
        last edited by

        Your setup sounds like what I'm trying to achieve, but with one server instead of two.  My exposure to pfSense is about two weeks old, though about one week in dealing with PIA.  I first setup an OpenVPN server and got it up and running fine and I can remote access my network with no problems.  I then followed the guide for installing PIA, minus deleting the CA for the OpenVPN server.  If I enable the PIA client, PIA works and changes my IP to a PIA IP.  But as soon as I enable the PIA client, I immediately lose my ability to connect to the OpenVPN server.  I'm sorry, but I'm not sure what I should be looking for and I can't seem to find the answers searching this forum.  I can't find any type of guide that basically leads me in the directions to having both the OpenVPN server (UDP 1194) and the PIA client (UDP 1198) to play nicely together.

        The closest I could find was this guide, which had me  create an OPT1 Interface https://www.reddit.com/r/PFSENSE/comments/61nqso/guide_pfsense_with_private_internet_access_and/

        I created that and assigned the Interface as "ovpns1 (OpenVPNServer)", but it made no difference.

        As for the system logs, I'm not sure how to interpret it.  Here is the OpenVPN Log with the OpenVPN Server already running and then enabling the PIA server and no longer being able to connect to the OpenVPN server…at which point I have to disable the PIA Client again.

        Apr 29 15:19:58 openvpn 12389 vpnuser1/174.227.149.4:12462 send_push_reply(): safe_cap=940
        Apr 29 15:19:58 openvpn 12389 vpnuser1/174.227.149.4:12462 MULTI_sva: pool returned IPv4=10.0.0.2, IPv6=(Not enabled)
        Apr 29 15:19:58 openvpn 12389 174.227.149.4:12462 [vpnuser1] Peer Connection Initiated with [AF_INET]174.227.149.4:12462
        Apr 29 15:19:57 openvpn user 'vpnuser1' authenticated
        Apr 29 15:19:47 openvpn 12389 174.227.149.4:12466 [vpnuser1] Peer Connection Initiated with [AF_INET]174.227.149.4:12466
        Apr 29 15:19:47 openvpn 12389 174.227.149.4:12466 TLS Auth Error: Auth Username/Password verification failed for peer
        Apr 29 15:19:47 openvpn 12389 174.227.149.4:12466 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
        Apr 29 15:19:47 openvpn user 'vpnuser1' could not authenticate.
        Apr 29 15:19:19 openvpn 14820 SIGTERM[hard,] received, process exiting
        Apr 29 15:19:19 openvpn 14820 /usr/local/sbin/ovpn-linkdown ovpnc2 1500 1561 10.54.10.6 10.54.10.5 init
        Apr 29 15:19:19 openvpn 14820 event_wait : Interrupted system call (code=4)
        Apr 29 15:18:46 openvpn 12389 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.140:59413
        Apr 29 15:18:46 openvpn 12389 Authenticate/Decrypt packet error: packet HMAC authentication failed
        Apr 29 15:18:45 openvpn 12389 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.140:59413
        Apr 29 15:18:45 openvpn 12389 Authenticate/Decrypt packet error: packet HMAC authentication failed
        Apr 29 15:17:27 openvpn 14820 Initialization Sequence Completed
        Apr 29 15:17:27 openvpn 14820 /usr/local/sbin/ovpn-linkup ovpnc2 1500 1561 10.54.10.6 10.54.10.5 init
        Apr 29 15:17:27 openvpn 14820 /sbin/ifconfig ovpnc2 10.54.10.6 10.54.10.5 mtu 1500 netmask 255.255.255.255 up
        Apr 29 15:17:27 openvpn 14820 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
        Apr 29 15:17:27 openvpn 14820 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
        Apr 29 15:17:27 openvpn 14820 TUN/TAP device /dev/tun2 opened
        Apr 29 15:17:27 openvpn 14820 TUN/TAP device ovpnc2 exists previously, keep at program end
        Apr 29 15:17:25 openvpn 14820 [######a06b960e88d94b48219ef3950] Peer Connection Initiated with [AF_INET]104.156.240.167:1198
        Apr 29 15:17:25 openvpn 14820 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
        Apr 29 15:17:25 openvpn 14820 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
        Apr 29 15:17:25 openvpn 14820 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
        Apr 29 15:17:25 openvpn 14820 UDPv4 link remote: [AF_INET]104.156.240.167:1198
        Apr 29 15:17:25 openvpn 14820 UDPv4 link local (bound): [AF_INET]##.##.###.180
        Apr 29 15:17:25 openvpn 14820 RESOLVE: Cannot resolve host address: us-florida.privateinternetaccess.com: hostname nor servname provided, or not known
        Apr 29 15:16:41 openvpn 14820 Initializing OpenSSL support for engine 'cryptodev'
        Apr 29 15:16:41 openvpn 14820 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Apr 29 15:16:41 openvpn 14708 WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible
        Apr 29 15:16:41 openvpn 14708 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
        Apr 29 15:16:41 openvpn 14708 OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
        Apr 29 15:16:41 openvpn 12389 Initialization Sequence Completed
        Apr 29 15:16:41 openvpn 12389 UDPv4 link remote: [undef]
        Apr 29 15:16:41 openvpn 12389 UDPv4 link local (bound): [AF_INET]##.##.###.180:1194
        Apr 29 15:16:41 openvpn 12389 /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.0.0.1 255.255.255.0 init
        Apr 29 15:16:41 openvpn 12389 /sbin/ifconfig ovpns1 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.0 up
        Apr 29 15:16:41 openvpn 12389 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
        Apr 29 15:16:41 openvpn 12389 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
        Apr 29 15:16:41 openvpn 12389 TUN/TAP device /dev/tun1 opened
        Apr 29 15:16:41 openvpn 12389 TUN/TAP device ovpns1 exists previously, keep at program end
        Apr 29 15:16:41 openvpn 12389 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
        Apr 29 15:16:41 openvpn 12389 Initializing OpenSSL support for engine 'cryptodev'
        Apr 29 15:16:41 openvpn 12389 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Apr 29 15:16:41 openvpn 12389 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
        Apr 29 15:16:41 openvpn 12242 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
        Apr 29 15:16:41 openvpn 12242 OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017

        NAT Outbound is:

        Interface Source Source Port Destination Destination Port NAT Address   NAT Port Static Port  Description Actions
        OpenVPN 127.0.0.0/8 *               *                   500 OpenVPN address *                         Auto created rule for ISAKMP - localhost to WAN
        OpenVPN 127.0.0.0/8 *               *                       * OpenVPN address *                         Auto created rule - localhost to WAN
        OpenVPN 192.168.1.0/24               *                       * 500 OpenVPN address *                 Auto created rule for ISAKMP - LAN to WAN
        OpenVPN 192.168.1.0/24               *                       * * OpenVPN address *                 Auto created rule - LAN to WAN
        OpenVPN 10.0.0.0/24 *               *                   500 OpenVPN address *                         Auto created rule for ISAKMP - OpenVPN server to WAN
        WAN         127.0.0.0/8 *               *                   500 WAN address *                                 Auto created rule for ISAKMP - localhost to WAN
        OpenVPN 10.0.0.0/24 *               *                       * OpenVPN address *                         Auto created rule - OpenVPN server to WAN
        WAN         127.0.0.0/8 *               *                       * WAN address *                                 Auto created rule - localhost to WAN
        WAN         192.168.1.0/24               *                       * 500 WAN address *                         Auto created rule for ISAKMP - LAN to WAN
        WAN         192.168.1.0/24               *                       * * WAN address *                         Auto created rule - LAN to WAN
        WAN         10.0.0.0/24 *               *                   500 WAN address *                                 Auto created rule for ISAKMP - OpenVPN server to WAN
        WAN         10.0.0.0/24 *               *                       * WAN address *                                 Auto created rule - OpenVPN server to WAN

        1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann
          last edited by

          Which guide for PIA setup have you followed?
          Have you set up already an interface for the PIA client and add policy routing rules to direct outgoing connections to the PIA server?

          To get it work, you have to do this. Also go to the PIA client settings and check the "Don't pull routes" option. That will be the culprit here.

          1 Reply Last reply Reply Quote 0
          • M Offline
            Murrayd222
            last edited by

            I used the guide from PIA for setting up their client on pfsense: https://www.privateinternetaccess.com/pages/client-support/pfsense

            When I check the Don't Pull box, I no longer obtain a PIA IP address though…but the OpenVPN server works for a change.  What Is My IP shows my IPS IP instead of one from PIA.

            1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann
              last edited by

              @Murrayd222:

              When I check the Don't Pull box, I no longer obtain a PIA IP address though

              So you've just checked this option, but not add a PIA interface and policy routing rules as I suggested above. So you've only done a part of the solution!

              Here is a video showing how to do this: https://www.youtube.com/watch?v=JdjWNpoktrw

              1 Reply Last reply Reply Quote 0
              • M Offline
                Murrayd222
                last edited by

                @viragomann:

                @Murrayd222:

                When I check the Don't Pull box, I no longer obtain a PIA IP address though

                So you've just checked this option, but not add a PIA interface and policy routing rules as I suggested above. So you've only done a part of the solution!

                Here is a video showing how to do this: https://www.youtube.com/watch?v=JdjWNpoktrw

                I followed the instructions in this video, and just like the guide from PIA's website, my PIA VPN is working…other than the video neglected to change the port to 1198 from 1194 (1194 won't connect to PIA).  However, I still can't access my network via the OpenVPN server running on the pfSense router.  It is probably a NAT ruls thing, but I can't find any guide on the additional NAT rules (or firewall rules) to get my iPhone to connect to the OpenVPN server.  I can only access my OpenVPN server if I disable the PIA VPN Client.  Any other ideas?

                1 Reply Last reply Reply Quote 0
                • G Offline
                  gjaltemba
                  last edited by

                  Is your iPhone using a separate internet connection for testing?

                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    Murrayd222
                    last edited by

                    All remote iPhone tests used Verizon and not wifi.  I've scrapped the whole PIA client and will try again at a later date…a much later date.  For everything I got working, something else stopped working.  Before reverting to a backup, I had gotten Plex remotely connecting, Blue Iris remotely connecting, PIA working, and Open VPN working.  But then apps on my iPhone stopped working, even the weather app.  My Ooma Telo stopped working as well.  I set many devices to bypass and go straight to the WAN, but in the case of the Ooma and my iPhone...that didn't help.  Shoot, the final straw was my earlier reply not being able to post since the site loading was horrible before reverting back.  Back to the base router setup and OpenVPN server I need.  The whole weekend was wasted fighting with PIA and the OpenVPN server, so I won't be repeating this anytime soon.

                    Thanks to those who tried to help, but there are so many settings that have to be just right that I would probably need a guide for my exact setup to get it to work right.

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      Murrayd222
                      last edited by

                      Ok, after more tweaking, factory resetting, and more tweaking…I have everything working except one thing.  I can connect to my network via the OpenVPN server, I have the PIA VPN Client pushed to the network IP addresses I want going through the VPN.  I can remotely access both Plex and my Blue iris surveillance server.  However, there is one thing I cannot get figure out and I'm sure it has to do Firewall Rules or NAT Outbound rules.  When remotely connecting to my OpenVPN server, I want those connections to be able to access the Internet as well.  Currently, any remotely connected client to my OpenVPN server can access network IPs only and any attempts to connect to the Internet are being blocked.  Anyone have a suggestion or guide on how to setup the needed rules?

                      Current NAT Outbound Rules:

                      Current Firewall Rules for WAN:

                      Current Firewall Rules for LAN:

                      I know there has got to be a way to do this.

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann
                        last edited by

                        Since you still pull the default route from PIA, there's no special firewall rule needed for the VPN clients going out to the internet. You're only missing the outbound NAT rule for that traffic.
                        Just add a rule to the PIA_VPN interface and set the source to your VPN access servers tunnel network.

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          Murrayd222
                          last edited by

                          @viragomann:

                          Since you still pull the default route from PIA, there's no special firewall rule needed for the VPN clients going out to the internet. You're only missing the outbound NAT rule for that traffic.
                          Just add a rule to the PIA_VPN interface and set the source to your VPN access servers tunnel network.

                          Ok, adding this rule fixed one thing and broke another.  Adding the above Outbound rule now permits my remote clients connected to my OpenVPN Server to now access the Internet, but now they can no longer connect to the LAN IPs.  Is this a one or the other type or deal or is it possible to have both working at the same time, along with a PIA VPN client.  Is there another rule I need to add in order to get both working?

                          EDIT 1: Never mind, its an issue with the Remote Desktop app on my iPad only, as it works on my iPhone.

                          Here are my current Outbound Rules:

                          1 Reply Last reply Reply Quote 0
                          • gtjG Offline
                            gtj
                            last edited by

                            @Murrayd222:

                            Greetings,
                            I'm curious if it is possible to run an OpenVPN server to permit remote connections to my network, via iPad and scuh, while also taking advantage of the benefits offered by Private Internet Access.  I finally got my OpenVPN server up and running and remote connects now work flawlessly.  However, when I installed PIA as instructed in the PIA pfsense router setup, the status shows as "down."  The only step I skipped was deleting the various certificates required to make the OpenVPN server work.
                            I'd like the benefits of remote access to my network as well as the benefits provided by PIA.  Any suggestions or guides that I've missed.  My experience with pfSense consists of about a month, with MANY failures trying to get the OpenVPN server up and running.

                            EDIT: Ok, after more tweaking, factory resetting, and more tweaking…I have everything working except one thing.  I can connect to my network via the OpenVPN server, I have the PIA VPN Client pushed to the network IP addresses I want going through the VPN.  I can remotely access both Plex and my Blue iris surveillance server.  However, there is one thing I cannot get figure out and I'm sure it has to do Firewall Rules or NAT Outbound rules.  When remotely connecting to my OpenVPN server, I want those connections to be able to access the Internet as well.  Currently, any remotely connected client to my OpenVPN server can access network IPs only and any attempts to connect to the Internet are being blocked.  The OpenVPN Server is assigned its own openvpn interface and the PIA Client is assigned its own unique PIA Interface.  If I disable the PIA client, then my OpenVPN Server connections are able to access the Internet.  Once I restart the PIA client, the Internet access of the OpenVPN Server connected clients stops.  Anyone have a suggestion or guide on how to setup the needed rules?
                            EDIT 2:  Well, the recently changed NAT Outbound (posted below) granted my OpenVPN Server remotely connected clients to access the Internet, but it broke their ability to access LAN clients.  How can I get both Internet and LAN access for clients remotely connected to the OpenVPN Server?

                            EDIT 3: Never mind, all is working correctly, but for some reason the remote desktop cliet on my iPad isn't connecting this morning where as the RD app on my iphone is.

                            Current NAT Outbound Rules:

                            Current Firewall Rules for WAN:

                            Current Firewall Rules for LAN:

                            Are these above your working settings? Can you please please share your current working settings? I can't get them to work together no matter what I tried. I've spent the better part of the past 3 days epxerimenting with all possible combinations. I did factory resets, installed the server first and then the client and vice versa. Played with all the possible rules I could think of. Duplicated the existing outbound NAT with values both for OpenVPN and PIAVPN.

                            I would be greatful if you could share the server's and client's config as well as the rules in WAN, LAN (or anywhere else) and also your NAT/outbound tab.

                            I have created separate interfaces for the PIA Client and the OpenVPN server while the ''don't pull routes'' option suggested by  @viragomann disables completely the PIA client and then magically the OpenVPN server will accept the connection from my Android client.

                            I have already asked in several topics but failed to draw any attention so I'm hoping you could help me out.
                            Otherwise I'll have to open a new thread. I just did not want to do as there are many like us who had the same issue and the forum is full of similar threads…

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.