PiVPN and pfsense as Client

NiDeMa

-WARNING SELF TAUGHT AMATEUR HERE-

I have a RPI3b+ in UK that runs for me PiVPN. Works perfectly with my Android phone - I can access the network and internet at the site.
On my pfSense machine I have been trying to connect it and create a dedicated gateway for it. I have succeeded in:

Establishing the connection as OpenVPN client
Establishing an interface that pulls the IP address from the OpenVPN client.
I can ping for example google from the OpenVPN interface that I have created.

But I still cannot get the gateway up and running, constantly it is offline. I am attaching pictures of my NAT rules, OpenVPN client settings and lan rules. Maybe someone here can educate me where and what I doing wrong.
Is it routing tables? Does the PiVPN model not work with pfSense (did it a couple years ago with DDWRT and it worked).

I will be grateful for your suggestions.

VPN settings.jpg

nirmalts

I find the NordVPN pfSense setup instructions quite good. Can you compare the routing steps you did against this?

NiDeMa

@nirmalts said in PiVPN and pfsense as Client:

he NordVPN pfSense setup instructions quite

Thanks for this, I read it before and applied it partially. The only thing that I had not applied were the custom options. Tried them now and I still cant get the gateway up (half of them I don't understand)

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

Could it be that RPI's PIVPN does not provide routing? I remember adding such rules on my DDWRT OpenVPN connection and then it worked. When I added these here my interface stopped getting the local VPN address (10.8.0.X).

Best

NiDeMa

Anyone any more suggestions?

nirmalts

@NiDeMa said in PiVPN and pfsense as Client:

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

These settings are not related to routing. As you have the connection "up" already, you don't need to add/change these.

If you follow the NordVPN instructions, you do not need to add "IPv4 Tunnel Network" and routes in Advanced Options as you have done. It works for me without these. Can you try by removing these?

If it still doesn't work please share your routing table?

netstat -rnW from console or Diagnostics -> Routes

NiDeMa

Thanks for you reply! I admit I am stuck on it completely.

I tried it without the extra commands and same things. It seems like for some reason all packets in are stopped.

Just for reference - I don't have a bridged connection on the WAN.

nirmalts

Just to reconfirm: Are you using a public VPN service here, like NordVPN?

NiDeMa

No, I am using my own VPN service based on Raspberry Pi (called PiVPN). I left in London a Raspberry with all the software - it works on my phone, just pfSense is problematic.

NiDeMa

Here is a quick diagram... Untitled Diagram.jpg

mariof

Hi,

Just wondered if you have found a solution to your problem?
I am trying to set up selective routing on pfsense to a raspberry pi PiVPN but also getting its getaway down. I do have a paid NordVPN with same setting and that works fine.

NiDeMa

@mariof said in PiVPN and pfsense as Client:

ered if you have found a solution to your problem?
I am trying to set up selective routing on pfsense t

Mariof, this was ages ago. I did actually manage. It worked perfect (EDIT: it did but sometime I had to set it up again as it would lose the connection - the crashing I blamed on the fact that I actually have two RPIs: UK and USA). The only thing: I got finally a decent connection at home and decided to clean up pfSense with a new install. I am right now reprograming it. Once I get it done I can share with you my settings.

mariof

@nidema Hi, it took me some reading and testing but I actually figured this out. Disabling the gateway monitoring eventually helped so I can finally connect to my PiVPN and set up selective routing for all my devices on the network

NiDeMa

@mariof said in PiVPN and pfsense as Client:

my devices on the network

I didnt have to disable gateway monitoring. Got it set up and since the RPI runs PiHole before VPN I use it for DNS and gateway testing.

Do you, by any chance, have two RPIs? I have to VPN servers on two seperate RPIs on two continents (Netflix :-) works) but I am having problems with CAs as common name is the same causing pfSense to get confused.