The best tutorial to start with OpenVPN
-
For what you are trying to do, you should not need to set outbound NAT unless you are running manual outbound NAT.
Check your Firewall > NAT, Outbound settings. Is the OpenVPN server's tunnel network included in the source networks? If not, post a screen shot of that page.
For what you are trying to do, you should not need to assign an interface to OpenVPN.
Did you check the Redirect Gateway checkbox in the server? If so (that would be the correct setting in your case), check that the client doesn't have the equivalent of don't pull routes set. If it still doesn't work, connect to the OpenVPN server and look at the routing table on the client. There should be two routes, 0.0.0.0/1 and 128.0.0.0/1 that point at the OpenVPN server's tunnel address. If there are not, then you need to investigate why those routes aren't being installed when you connect.
Are you passing all traffic to destination any on Firewall > Rules, OpenVPN?
-
Hi Derelict,
Thank you for your help. I just checked and I am running the manual outbound NAT. I tried changing it to automatic, but it broke my VPN connection to my provider. :( Maybe something that is strange with my setup is that I have 2 connections to my VPN provider (2 different locations) and I use my IP addressing to decide which VPN tunnel to use. Maybe that is why I switched to manual.
Attaching my firewall NAT rules so that you can have a look. I did manually add one for my OpenVPN.
Just so you know my topology:
192.168.20.0/24 is my local LAN
192.168.20.64/27 (IP ranges 192.168.20.65-192.168.20.94) go to one of my VPN providers tunnels.
192.168.20.100/27 (IP ranges 192.168.20.97-192.168.20.126) go to the other VPN tunnel.My DHCP scope for handing out IPs is 192.168.20.10-192.168.20.60).
My VPN tunnel network is 192.168.50.0/24.
I also noticed that I was using DNS forwarder instead of DNS resolver. I just switched to DNS resolver.
I do have the Redirect Gateway checkbox in the server. And OpenVPN firewall is passing all traffic. I used the wizard to set it up.
Appreciate any help you can provide.
-
That should work. What about the routes on the client? What about the rules on your OpenVPN tab?
-
The OpenVPN tab in Firewalls is Allow everything (default rule put in by the wizard).
I have attached the Route Print from my Win8 machine (I was local on a 192.168.30.x subnet).
When I was connected to the VPN, I was able to ping everything in my 192.168.20.x subnet. I was able to do nslookups using 192.168.20.1 successfully.
However, when I did a tracert google.com, I would only get to my first hop of 192.168.50.1 and everything was unreachable after that. :(
Not sure how to proceed to keep troubleshooting.
-
That looks fine too.
Post screen shots of your OpenVPN rules, if you have an assigned OpenVPN interface on that OpenVPN server post those rules as well.
It should be working. Hard to know what is where that is keeping it from working.
Maybe the output from:
netstat -rnfinet
from pfSense in Diagnostics > Command Prompt
-
I really appreciate your help Derelict.
Here is the OpenVPN rules, my interfaces, and my netstat.
-
Your default gateway is that openvpn client. You need to put outbound NAT for 192.168.50.0/24 on that interface since that's where it is being routed.
You can policy route that traffic out WAN by adding a pass rule on the OpenVPN tab for all traffic sourced from network 192.168.50.0/24, click advanced, and set the WAN gateway. That rule would have to be above the pass any any rule.
Outbound NAT rules do not route traffic. They have nothing to do with routing decisions. They simply tell pf what NAT to perform, if any, when traffic is routed out an interface by policy routing or the routing table.
-
Not sure I understand what to do Derelict.
Are you saying that I need to add a firewall rule in my OpenVPN tab that says
Pass Source 192.168.50.0 Dest Any Default Gateway WAN
And I have to put that at the top? What happens if I am trying to get to my internal hosts?
-
Is this what you mean?
-
That rule is protocol TCP only Make it any.
-
You are the best Derelict!
Thank you so much. It seems to be working, but I'll do some full testing tomorrow.
I added a rule so that traffic going to my LAN net doesn't use the WAN interface. I put that at the top. Then, I followed it with the rule for traffic going any to route out the WAN interface. Now, I can ping my internal LAN devices as well as pinging external sites.
