Cannot ping (or access) any host from clients or the firewall itself using the OpenVPN interface
-
Hi, so I recently set up an OpenVPN connection. the connection itself is successful.
I made a new interface called OPT3
However, when I try to ping something from the firewall using the OpenVPN interface, it fails.
Also tried setting the source address to OPT3. same result.
here are my OVPN Tunnel settings
I was instructed by my provider to check dont pull routes I unchecked that, but then it completely broke my main internet connection (WAN). nothing was accessible.
I understand that I need to create NAT rules for clients to access the OpenVPN interface. but, as far as I know, the firewall itself should be able to use the OpenVPN interface without additional NAT rules (currently set to hybrid).
any ideas? -
@lordofpc734
Not clear what's your real problem here and what you're trying to achieve.
Do you want to direct the whole upstream traffic over that VPN or only specific?@lordofpc734 said in Cannot ping (or access) any host from clients or the firewall itself using the OpenVPN interface:
However, when I try to ping something from the firewall using the OpenVPN interface, it fails.
Also tried setting the source address to OPT3. same result.Anyway, to ping a public IP you need an outbound NAT rule for the used source address.
-
only specific, I used to do this with plain L2TP, but I figured OVPN would be safer, and faster in my experience.
here are my NAT rules (the first one is for the PS4, second one is for accessing the modem, not relevant)
do I need to just duplicate all of the auto created rules and set their interface to OpenVPN? is that what you mean?
also, my issue is that as I said, I cannot ping anything from the firewall via the OVPN interface, hope this clears it up a bit -
The last two rules may for the source of LAN network. Copy these and change the interface to OPT3 which you have assigned to the VPN.
To get the ping tool work to a public IP as you tried above, you also need a rule with the source 127.0.0.0/8 (pfSense itself). However, you may also need to route that public IP over the VPN.
Since you only want to direct specific traffic over it, you may have to check "Don't pull routes" and add policy routing firewall rules to the LAN.
-
So I copied the LAN to WAN rules and changed them to OPT3, also tried to pay attention to the order of the rules. I made a firewall rule that redirects all traffic from my laptop to the OPT3 (ovpn) gateway.(ignoring the ping utility issue for now) it didn't work,i.e everything times out. I don't see any blocks in firewall logs.
here are the new NAT rules
-
@lordofpc734 said in Cannot ping (or access) any host from clients or the firewall itself using the OpenVPN interface:
I don't see any blocks in firewall logs.
So presumably the rule is working.
The outbound NAT rule seem to be okay.@lordofpc734 said in Cannot ping (or access) any host from clients or the firewall itself using the OpenVPN interface:
I made a firewall rule that redirects all traffic from my laptop to the OPT3 (ovpn) gateway.
Possibly an DNS issue?
Consider that with that rule you also direct DNS requests to the VPN server, so you either have to configure your laptop to use a public DNS or redirect it by a NAT rule or add an additional firewall rule to allow DNS access to pfSense. -
@viragomann just tried 8.8.8.8 on the laptop, its not a DNS issue I believe, it just times out
also, unbound itself is acting weird, it keeps restarting itself... not sure what's going on here
might just give up and go back to L2TP, considering I don't have AES-NI anyways. -
@lordofpc734 said in Cannot ping (or access) any host from clients or the firewall itself using the OpenVPN interface:
just tried 8.8.8.8 on the laptop
How did you try? ping or http? If ping, does your rule allow it? You may post it here.
@lordofpc734 said in Cannot ping (or access) any host from clients or the firewall itself using the OpenVPN interface:
unbound itself is acting weird, it keeps restarting itself... not sure what's going on here
There should be hints in the log.
Possibly you have activated all outgoing interfaces in unbound. However, this will need a NAT rule for 127.0.0.1/8. -
@viragomann with ping, it works, but I'm almost certain that it's not being routed through the VPN as the ping time is exactly like connecting normally without a VPN, traceroute shows stars. and trying to load any webpage fails, times out. Also in unbound I have set the listening interface to LAN and outgoing to WAN so it shouldn't care about openvpn at all
-
You can use packet capture to check whether the packets are going out the VPN interface.
Also I'd recheck your firewall rules. Enable logging in all relevant rules and check the log to see which rule is applied.
Keep in mind the rule order and that floating rules and such ones on gateway group have advantage over interface rules.
