Capturing packets but not making connection
-
Hello,
I have a bit of an odd network with a 2nd router behind my first one that I have set up with 1:1 Nat and I have allowed up&p on almost every port that I am not using. There network is mostly completely separate from mine. I know this is odd but trust me if I still want to have my router this is the best compromise I could come up with.
Anyways the point is I've been trying to setup an open VPN server on my pfsense box for a while now, but every time I configure it, using more security, using less security, using some ports, using others setting up really open firewall rules, dosen't matter, it refuses to connect. When doing a packet capture I can see that I am receiving packets from my phone but it's not connecting. Do I need to forward my ports? Is it something with up&p? Is it something with my 1:1 Nat?
Thank you for any and all help
-
We have no idea about your config so it's almost impossible to say what you're done wrong without more information. You mention two routers, and then you mention pfSense, but we have no idea what is where. I assume pfSense is the second router??? And in general, yes, if you have a double-NAT configuration then you are going to have to add port-forwards in the first router to get it to redirect the traffic to the second router. pfSense OpenVPN uses udp/1194 by default, so you will need to make sure that is forwarded from the first router to the second.
-
So wan goes to the pfsense box, the other router is a device on its own interface. My roommates use this other router for all of there stuff I use the pfsense box for all of my stuff. So theoretically it should operate normally. I was just wondering if something about my configuration would require that I complete a few extra configuration steps that weren't in the 1000's of guides I've read and watched.
Sorry about not giving enough detail. If you want I can draw a diagram or try to find some logs.
Thank you
-
Did you configure it by hand using some random guide, or did you use the remote access server wizard? The wizard makes it pretty simple and it adds the necessary WAN & OpenVPN rules.
-
I've used the wizard most of the times. I tried doing it by hand a couple times but that also didn't work so I started using the wizard again
-
Blow away what you have, try again with the wizard. Make sure for Compression you choose Adaptive LZO Compression [Legacy style, comp-lzo adaptive]. If it still isn't working for you, post screenshots of your OpenVPN Server config.
-
No luck. Here is the configuration.
-
You can post images here directly btw. Upload Image button on the far-right of the Edit bar.
You haven't specified a local network (the field seems to be missing entirely for some reason in your screenshot), and you have nothing for NCP Algorithms.
You need to specify the local network that VPN users will have access to.
Another thing: IIRC, the Windows-based OpenVPN client must be run in Administrator mode or it will not properly update the routing table, although it appears to work and connects, but no traffic flows.
-
Yea sorry about that. I tried to post it directly here but it said it was too big.
For some reason when I check "Redirect IPv4 Gateway" under Tunnel Settings, the "IPv4 local network(s)" field goes away. I unchecked that and set the local network to be my lan and still nothing
-
OK thanks, I had no idea that the local network setting disappears when you force all through the gateway. I would try following the wizard exactly and then changing settings only after you know it's working.
Have you verified that WAN has an allow rule for udp/1194, and that the OpenVPN interface has an allow all rule? Your tunnel network of 192.168.70.0/24 definitely does not overlap with LAN? What about the NCP settings I mentioned? And how are you testing this exactly? Via your phone with an OpenVPN client?
-
Wan and the OpenVPN interface both have the rules described. The tunnel network doesn't overlap with any of my other interfaces. I added all of the NCP Algorithm options. And yes testing via my phone.
-
Anything in the OpenVPN or System log? You may have to increase the verbosity level of the OpenVPN Server log.
Just to confirm, you're saying that you have two routers: your main router is pfSense, and you have some other router behind it. pfSense is your WAN connection, correct?
https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html
-
Nothing in there. Increased the verbosity level. Will try to grab some logs.
Yep the wan goes into pfsense and the other routers wan is pfsense.
No luck with all of the stuff in the troubleshooting guide.
-
Any possibility it's an issue with the client? I've done this many times and it usually just works.
-
I doubt it. I am using the client export tool and moving it straight to my phone and into openvpn connect.
That's what so frustrating about this, I have this super odd scenario that no one has ever been in because it always seems to just work for them so there is like no one who understands whats going on.
-
But it's not that odd. Forget the other router since it's not involved here. Is thee literally anything in the log that even shows the connection attempt? If not, try doing a packet capture on WAN for that traffic and see if your client even hits it.
-
Not seeing anything in the log. Did a packet capture and I am seeing my phones wan ip on port 1194
-
Hmm. All I can think of at this point is to try it with a different client just to rule that out.