Openvpn server on Virtual IP address not working
-
@bahsig
Thank you Norman. Tried to use IP Alias on Localhost and created a NAT rule for UDP for destination 74.120.2.5 and redirect 127.0.0.1 for Openvpn port but still not working. Also created a NAT for ICMP.
But not it is even worst, 74.120.2.5 (example) is not reachable from the Internet at all. Cannot ping 74.120.2.5. Openvpn client cannot connect to 74.120.2.5 at all. Previously, when using Virtual IP alias on WAN, at least the Openvpn client was able to connect to the server and we could ping 74.120.2.5. Do you know what we are missing here? Thank you once again. -
Maybe you have a misconfigured ip alias. Look there or post your configuration.
-
Thank you Norman.
As per your suggestion, we created the Virtual IP with Type IP Alias and Interface Locahost (instead of WAN).Firewall -> Virtual IPs
Type: IP Alias
Interface: Localhost
Address: 74.120.2.5 /28Fireall -> NAT -> Port Forwarding
Interface: WAN
Protocol: ICMP
Destination: 74.120.2.5 (Virtual IP creaded above bind to Localhost)
Redirect target IP: 127.0.0.1Fireall -> NAT -> Port Forwarding
Interface: WAN
Protocol: UDP
Destination: 74.120.2.5 (Virtual IP creaded above bind to Localhost)
Destination port range from OpenVPN to OpenVPN
Redirect target IP: 127.0.0.1
Redirect target port: OpenVPNIn SystemAdvancedFirewall & NAT,
we selected Pure NAT for NAT Reflection mode for port forwards
we checked "Enable automatic outbound NAT for Reflection" -
Hi,
you misunderstood my last post. Virtual IP needs to be configured as an IP alias for wan interface. Asuming this public IP is reachable through your public wan ip. Your Nat rules look good. Nat reflection only needs to be selected, if you want to connect from your Lan or other internal network like wlan or dmz.
I like to use splitdns rather than nat, so clients don‘t need to go out the internet and come back to reach an internal service.Openvpn server interface needs to be set to localhost. The IP alias is pointing to the wan interface.
Hope it‘s more understandable now.
-
Could this be the problem?
This is from Diagnostics -> StateWAN udp 98.223.42.169:65316 -> 74.120.2.5:1194 NO_TRAFFIC:SINGLE 3 / 0 210 B / 0 B
WAN udp 74.120.2.3:1194 -> 98.223.42.169:65316 SINGLE:NO_TRAFFIC 3 / 0 246 B / 0 B
74.120.2.3 is the WAN Interface IP of the firewall.
74.120.2.5 is a WAN IP Alias - a Virtual IP used by the Openvpn server.
98.223.42.169 is the Openvpn Client.
The Client is connected to 74.120.2.5 (the Virtual IP used by the Openvpn server).
But the Openvpn server is responding to the client as 74.120.2.3 (the Firewall WAN IP).When using Localhost for Openvpn server and then creating a NAT to redirect the Virtual IP to 127.0.0.1, got something similar:
WAN udp 98.223.42.169:58014 -> 127.0.0.1:1194 (74.120.2.5:1194) NO_TRAFFIC:SINGLE 4 / 0 280 B / 0 B
WAN udp 74.120.2.3:1194 -> 98.223.42.169:58014 SINGLE:NO_TRAFFIC 4 / 0 328 B / 0 B
-
mine shows this:
WAN1 udp 91.x.x.x:59797 -> 127.0.0.1:1194 (195.x.x.x:1194) MULTIPLE:MULTIPLE 128 / 140 15 KiB / 79
What does the client log say?
-
Thank you Norma.
So you don't have another state from your WAN (or WAN IP Alias) to your client IP?
If so, something is wrong with my setup.
Here's my client log (IP changed):
Tue Jan 01 12:12:39 2019 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Tue Jan 01 12:12:39 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Jan 01 12:12:39 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jan 01 12:12:39 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Tue Jan 01 12:12:45 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]74.120.2.5:1194
Tue Jan 01 12:12:45 2019 UDP link local (bound): [AF_INET][undef]:0
Tue Jan 01 12:12:45 2019 UDP link remote: [AF_INET]74.120.2.5:1194
Tue Jan 01 12:13:45 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 01 12:13:45 2019 TLS Error: TLS handshake failed
Tue Jan 01 12:13:45 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 01 12:13:50 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]74.120.2.5:1194
Tue Jan 01 12:13:50 2019 UDP link local (bound): [AF_INET][undef]:0
Tue Jan 01 12:13:50 2019 UDP link remote: [AF_INET]74.120.2.5:1194
Tue Jan 01 12:14:51 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 01 12:14:51 2019 TLS Error: TLS handshake failed
Tue Jan 01 12:14:51 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 01 12:14:56 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]74.120.2.5:1194
Tue Jan 01 12:14:56 2019 UDP link local (bound): [AF_INET][undef]:0
Tue Jan 01 12:14:56 2019 UDP link remote: [AF_INET]74.120.2.5:1194
Tue Jan 01 12:15:57 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 01 12:15:57 2019 TLS Error: TLS handshake failed
Tue Jan 01 12:15:57 2019 SIGUSR1[soft,tls-error] received, process restarting -
Does it work, if you use localhost for the OpenVPN interface and point the rules to your wan ip (not the alias).
If it is working I would delete the ip alias and recreate it. And don‘t test from your internal network, to exclude nat reflection issues.
-
@bahsig
Hi Norman
I finally got it working without using localhost for Openvpn server.The problem is I had selected "UDP IPv4 and IPv6 on all interfaces (multihome)" in the Openvpn server protocol setting.
This caused the Openvpn server to actually listen on all interfaces (instead of on the WAN IP Alias).
I did a netstat -an in Diagnostis -> Command Prompt and it showed:
udp46 0 0 *.1194 .Then I ssh-ed to the PFSense server as admin and tried to add
local 74.120.2.5 to the /var/etc/openvpn/server1.conf file (to force it to listen on 74.120.2.5 which is my WAN IP Alias).
But this doesn't work because the /var/etc/openvpn/server1.conf file is refreshed every time you restart the Openvpn server or the firewall. PFsense probably gets the settings from the settings file somewhere and then recreates the /var/etc/openvpn/server1.conf file.So later I realized it could be because the Virtual IP (the WAN IP Alias) only has IPv4 address and no IPv6 address (not possible assign both IPv4 and IPv6 addresses to a IP Alias virtual IP?). So I changed the protocol setting in the Openvpn server to "UDP on IPv4 only" and restarted the Openvpn server in Status->Openvpn, and viola everything started working.
So the problem is since we cannot bind both IPv4 and IPv6 addresses to a IP Alias Virtual IP, we cannot select "UDP IPv4 and IPv6 on all interfaces (multihome)" protocol in the Openvpn server configuration if we want to use Virtual IP for Interface.
I think this should be considered a design flaw. I decided to use both IPv4 and IPv5 for the Openvpn server protocol because the PFSense book says "OpenVPN can connect a site-to-site tunnel to either an IPv4 address or an IPv6 address and both IPv4 and IPv6 traffic
may be passed inside of an OpenVPN tunnel at the same time. IPv6 is supported both in site-to-site and mobile clients,
and it can be used to deliver IPv6 to a site that only has IPv4 connectivity.".
But apparently, this does not work if you use a Virtual IP as the server interface. Maybe if they allow both IPv4 and IPv6 addresses to be bound to a IP Alias Virtual IP, it will work? For now, I am dropping IPv6.Thank you again Norman
-
I think this is more of a OpenVPN problem rather than PFSense problem.
Apparently, it isn't possible for OpenVPN server to listen on both IPv4 and IPv6 addresses. It can listen to ALL (meaning all IPv4 and IPv6 interfaces on server) OR a single IP address (IPv4 or IPv6).https://sourceforge.net/p/openvpn/mailman/message/34193818/
"AFAIK this is currently not possible - openvpn can either bind to ALL
addresses (IPv4 and IPv6) or it can bind to a single address - either
IPv4 or IPv6. "https://community.openvpn.net/openvpn/ticket/937?cversion=0&cnum_hist=5