OpenVPN Config with no internet

flavio.moringa

Hi guys,

I've configured a PFSense server in AWS to just use as a remote access VPN. So I just want all the users of my VPN to just go out to the internet all using the same public IP... no need for a a LAN.

Should be simple.... And I think I managed to configure everything... but after a user is connected to the VPN he doesn't have internet access...
I've checked and we have the NAT rule for the OpenVPN to the WAN interface.... and PFsense itself can connect to the internet... It's not just a DNS issue because I cannot even ping a server on the internet using IP....

So what am I missing? Any tips?

Thanks a lot for all your help.

marvosa

Post your server1.conf (/var/etc/openvpn). Post your NAT rules. Post the firewall rules on your OpenVPN tab.

flavio.moringa

First, thanks for trying to help.

Here are the configs:

cat /var/etc/openvpn/server1.conf:

dev ovpns1
verb 7
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 10.0.1.247
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'MySERVER' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-128-GCM
persist-remote-ip
float
topology subnet

I saw that when I export a configuration, the OVPN file does not have the :
dhcp-option DNS 8.8.8.8
dhcp-option DNS 1.1.1.1
redirect-gateway def1

Shouldn't it? But I've tried adding it and it also doesn't seem to work...

Open VPN Firewall Rules:

Firewall Nat Outbound Rules:

For the OpenVPN range, I put 10.0.8.0/24.

One thing that might be an issue (or not) is that, since I just want to use the VPN for remote access, not for LAN access, there is no LAN interface. The purpose is just for all users to connect here and go to the internet all with the same IP, so that we can then on some sites restrict it's access to just the VPN IP.

I really don't see anything wrong... We can create an user and connect to the VPN, but after connecting we just don't have internet. The VPN itself has internet through the WAN interface... we can do traceroutes, updates, etc...

Maybe something on AWS side (we disabled the source/destination check for the interface)...

Hope you can help.

Thanks again

marvosa

According to the config, PFsense is double NAT'd and the WAN interface is sitting in the 10.x.x.x space. I would double check the netmask on the WAN interface and verify that there's no overlap in your tunnel network. Also, it's possible you may need to uncheck the "Block private networks and loopback addresses" and/or the "Block bogon networks" options on the WAN interface.

Are you creating a client cert during user creation? I've seen issues when the client cert doesn't get created. Although, this may depend on what authentication method you're using.

Do you have a Certificate Revocation list defined and selected in your config? I've seen issues in the past when a CRL isn't defined also.

Regarding your DNS export, according to the config, it's there:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1"

On your OpenVPN tab, even though an any/any rule "should" work, I've been making these rules explicit as of late just to ensure that traffic is being matched correctly and sent down the correct interface. I.e.. you may want to define your tunnel network as the source address. Also, the rule you have for ICMP is redundant and can be removed.

As far as not having a LAN interface, considering your use case I wouldn't think that matters. However, I've never deployed it that way, so I'm not sure.

Not seeing anything glaring otherwise. I would review the client's routing table after they connect and then go thru the firewall logs while your're doing live testing. A useful troubleshooting app I'd recommend using is PingPlotter (https://www.pingplotter.com).

flavio.moringa

Hi @marvosa ,

thanks for the tips...
I changed the OpenVPN network to 192.168.70.0/24.... In the WLAN configs the option "Block private networks and loopback addresses" was already unchecked, bu I also unchecked the "Block bogon networks" option...

The cert is getting created alright.... when I use the ovpn config file in the client the cert is there and the connection is made and established:

Enter Auth Password: *********
Thu Apr 30 17:53:46 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]3.8.245.156:1194
Thu Apr 30 17:53:46 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Apr 30 17:53:46 2020 UDPv4 link remote: [AF_INET]3.8.245.156:1194
Thu Apr 30 17:53:46 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 30 17:53:46 2020 [Aptoide] Peer Connection Initiated with [AF_INET]3.8.245.156:1194
Thu Apr 30 17:53:47 2020 TUN/TAP device tun0 opened
Thu Apr 30 17:53:47 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Apr 30 17:53:47 2020 /sbin/ip link set dev tun0 up mtu 1500
Thu Apr 30 17:53:47 2020 /sbin/ip addr add dev tun0 192.168.70.2/24 broadcast 192.168.70.255
Thu Apr 30 17:53:47 2020 Initialization Sequence Completed

It pings the main VPN interface ok:

ping 192.168.70.1
PING 192.168.70.1 (192.168.70.1) 56(84) bytes of data.
64 bytes from 192.168.70.1: icmp_seq=1 ttl=64 time=53.7 ms
64 bytes from 192.168.70.1: icmp_seq=2 ttl=64 time=50.4 ms
64 bytes from 192.168.70.1: icmp_seq=3 ttl=64 time=48.4 ms
64 bytes from 192.168.70.1: icmp_seq=4 ttl=64 time=50.6 ms
64 bytes from 192.168.70.1: icmp_seq=5 ttl=64 time=50.6 ms
^C
--- 192.168.70.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 48.492/50.808/53.776/1.716 ms

But it cannot reach any other place...

On the Firewall logs I see this:

So it seems ok...

But still no internet...

Could it be something missing on the AWS VPC config? To allow internet... but pfsense should just use the wlan interface and that't it... should be transparent to AWS....

Any more ideas?!

marvosa

There may very well be something that needs to be addressed in the AWS VPC settings, however, I am unfamiliar with the platform.

Short of a misconfig that I'm missing, an AWS VPC setting or something happening on the client-side, it's just troubleshooting at this point.

I PM'd you.