OpenVPN, AirVPN and port forwarding no longer works (2.4.4relp2)

Derelict

It looks to me like AIRVPN's tester is attempting connections to both the tunnel address AND the address you are connecting from. They might use this to catch cases where people have passed/forwarded traffic on WAN but not OpenVPN. Just a guess since I am not AIRVPN.

There is really no other explanation for SYN traffic arriving on both interfaces. As I said, pcaps don't just conjure up phantom traffic and present it.

Your replies are likely being sent out WAN because your OpenVPN rules don't take into account what needs to happen when you receive connections from arbitrary addresses. You probably want to delete/disable all of the rules on the OpenVPN tab and pass the traffic on the AIRVPN tab instead. This will get reply-to on the states and force reply traffic from the bittorrent client back out the VPN where the connection came from instead of obeying the routing table and sending it out WAN.

Steven SL

@derelict said in OpenVPN, AirVPN and port forwarding no longer works (2.4.4relp2):

Post your OpenVPN firewall rules and your AIRVPN firewall rules.

Outbound from LANGroup to OpenVPN interface
0_1548642405211_c64be4f3-d3ed-4ad0-9c8f-0bcc5fa59194-image.png

Inbound firewall rule on AirVPN
0_1548642513226_d37815de-89ba-453e-8585-e4d843a62b80-image.png

Port forward NAT rule
0_1548642597086_bf2436a9-0d26-49e0-aacb-fda69f40614a-image.png

Outbound NAT rule
0_1548642660348_066acf09-ac01-445e-b437-4608d6f072b5-image.png

OpenVPN client status
0_1548642721767_7c2a2bc6-448e-4c7a-8031-9bb95f8c1097-image.png

Derelict

Great. And the rules on the OpenVPN tab?

Steven SL

@derelict said in OpenVPN, AirVPN and port forwarding no longer works (2.4.4relp2):

Great. And the rules on the OpenVPN tab?

OpenVPN (Although I believe this was created for my road warrior setup - OpenVPN server)
0_1548642939091_d212dfeb-baee-475f-8918-9454c1176471-image.png

OpenVPN Server (if that matters)
0_1548642994240_c75c900b-bcf8-4e2b-b36e-c77afdfee486-image.png

Derelict

Yeah. The port forward traffic cannot match that, which it does.

That means you do not get reply-to on the states.

I would assign an interface to the road warrior instance, put the pass any rule there, and put no rules on the OpenVPN tab and it will work.

Steven SL

@derelict said in OpenVPN, AirVPN and port forwarding no longer works (2.4.4relp2):

Yeah. The port forward traffic cannot match that, which it does.

That means you do not get reply-to on the states.

I would assign an interface to the road warrior instance, put the pass any rule there, and put no rules on the OpenVPN tab and it will work.

Thank you so much, I am i awe that you figured this out with the little bit I gave you. It is working now! I am so impressed!

I don't fully understand why, but I did as you said - I created a new interface for what my setup has as "ovpns2", removed the allow all rule under OpenVPN and tested again. Success. Why would the default OpenVPN interface interfere?

New Interface
0_1548643703519_877877de-4f1b-4d70-88e1-2919b21dcd05-image.png

Road warrior rules:
0_1548643777793_a20b41dd-b62a-48ec-b856-323df7149a36-image.png

OpenVPN (removed the only rule)
0_1548643823964_ae44ef42-2e01-437b-af16-d0c5e30401ed-image.png

Derelict

Because the OpenVPN tab really represents an interface group of all OpenVPN instances both server and client.

When a connection arrives into that it is impossible for pf to know which one it will arrive on so it cannot apply reply-to to the rules there. When you are accepting connections in from locations that your local OpenVPN knows about (has specific routes to), like in a remote access or typical site-to-site configuration, this does not matter because the routing table (and openvpn) will route the reply traffic where it needs to go.

When you are accepting connections from arbitrary source addresses, you need reply-to on the rules or the routing table will direct the reply traffic which, to an arbitrary destination on the internet, will probably mean it tries to send it out to its default gateway.

And, like most everywhere else in pfSense, first match wins and stops rule processing and interface group rules are processed before interface rules so traffic that needs reply-to cannot match rules there.

g4m3r7ag

Just want to add I was having this exact same problem and this was also the solution for me. My remote VPN access however was not working after I moved it to it's own interface and added the new FW rule for that interface. I had to reboot pfSense for it to work. I could connect but no traffic would flow back to remote device. I believe a state just got hung up somewhere and the reboot cleared it.

Derelict

The OpenVPN instance has to be restarted after an interface is assigned. This is in all of our documentation related to assigning OpenVPN interfaces. A system reboot was likely not necessary.

g4m3r7ag

Your right, I recall that now, that's what I get for troubleshooting at 5AM.