VPN up Gateway up - No Internet

viragomann · Feb 13, 2021, 8:46 AM

@vmac said in VPN up Gateway up - No Internet:

I'm confused as to what you mean about the order. since VPN devices would only match specific devices. However, I made the change and still can't get any Internet when VPN connected:

To answer your other question, I have my pfSense resolving all DNS queries:

The question is if your VPN devices are configured to resolve host names. If they are set to use pfSense you need this rule, otherwise DNS requests are directed to the VPN provider, while the destination address is pfSense and resolution fails.
Since the rule shows some matches I assume the devices are set to use pfSense for DNS resolution.

@vmac said in VPN up Gateway up - No Internet:

I'm starting to wonder if it has something to do with the Automatic Outbound NAT not working.
When I check the OpenVPN logs I see this noted:

When I go to Outbound NAT I don't see this interface in the "automatic" generated outbound.

I cannot find what's really wrong there. The virtual interface port is ovpnc3. This one you should have assigned to NordVPN in interfaces > assignments.

The only weird thing in the outbound NAT is in the automatically generated rules: 192.168.3.1/26 and 192.168.3.0/26. No idea where the .1 is from.

Your VPN devices may be in 192.168.1.0/24 and 192.168.3.0/24? However, the latter may not really be defined on your system, since it isn't shown in automatic rules.

vMAC · Feb 14, 2021, 1:44 AM

@viragomann
Well I'm at a loss.

Yes the devices are set to use pfSense for DNS.
That is correct ovpnc3 is assigned to NORDVPN.

I'm assuming this is where the 192.168.3.1 comes from Interfaces->IoT:

Yes I have some devices that I want to use the VPN that are in my IoT vLAN, and I have ones that are regular LAN vLAN that I want to use the VPN. The device that I'm testing right now is on the LAN vLAN and still can't hit the VPN. I just tried the IoT vLAN and same issue.

The really weird thing is nothing has been changed except me adding a traffic shaper. Before my config has worked for literally 2-3 years.

senseCanuck · Feb 14, 2021, 3:09 AM

I just updated to 2.5.0 RC and have the same problem.

NordVPN used to work perfect, now I don't get internet through it. The interface comes up with an IP but when I look at the traffic graph I only see outgoing traffic (no incoming).

It was a straight upgrade, I made no changes to the pfSense config.

vMAC · Feb 14, 2021, 3:12 AM

@sensecanuck could that be the problem? I've been using 2.5 beta since June/July due to an issue with miniupnp and my ps4s. Maybe something that was changed in November/December changed something?

senseCanuck · Feb 14, 2021, 3:19 AM

@vmac could be.
This is the 3rd time I've tried upgrading to 2.5.0 and have always had this VPN issue. I just assumed it was on the to-be-fixed list but apparently it's something else since we're now into RCs.

All three of my 2.5.0 attempts have been December or later.

viragomann · Feb 14, 2021, 1:27 PM

@vmac said in VPN up Gateway up - No Internet:

I'm assuming this is where the 192.168.3.1 comes from Interfaces->IoT:

What I wanted to point out is that the outbound NAT shows these entries among other: 192.168.3.1/26, 192.168.3.0/26. But normally it only shows network address, 192.168.3.1/26 is none, but it's part of 192.168.3.0/26.
Post your routing table to get closer.

Do a packet capture on the NortVPN interface, while you try to access something from a concerned device, to see if the packets are natted well.

senseCanuck · Feb 16, 2021, 4:21 AM

My setup is almost identical to @vMAC (select VPN based on a IP alias group). The only difference I have is I don't use the DNS resolver (to avoid DNS leaks) - I forward all VPN alias group DNS traffic to the VPN's DNS server.

But same problem - was working perfect until the move to 2.5.0.

Noticed though my gateway shows as offline. I switched the monitor to 1.1.1.1 but no difference.

Apsis-IM · Feb 16, 2021, 4:24 AM

@sensecanuck I thought it typical to block and forward all dns traffic to the pfsense dns resolver to avoid dns leaks...

senseCanuck · Feb 16, 2021, 2:27 PM

@apsis-im

I didn't want to use the VPN DNS for all LAN clients, just the few selected to use VPN. So I manually forward all port 53 traffic on those clients to the VPN provider's DNS server.

Apsis-IM · Feb 16, 2021, 3:29 PM

@sensecanuck gotcha!

Dilligaf · Feb 17, 2021, 1:09 PM

@sensecanuck I'm also feeling your pain.
Whether I upgrade or rebuild from scratch its the same result. Tried on 2 boxes (one a vlan setup and the other multiple nics).
Also made several attempts at this. I can get the gateway up but I can't get traffic to flow through it. It seemed to me like the firewall wouldn't direct traffic into it - though I haven't looked into it very deeply.
Watching this thread closely to see if anyone can shed light.

senseCanuck · Feb 17, 2021, 1:10 PM

@dilligaf You seem to be a step above me. My gateway won't even show up. I've changed every rule I can find, changed the monitor address to 1.1.1.1, no luck. I'm so fed up with this I'm about to try out an OPNsense install.

Dilligaf · Feb 17, 2021, 1:33 PM

@sensecanuck I've have a very similar setup by the sounds and like you use cloudflare dns. And like you changed everything I could think of.

All sorts of different issues: I've had it running but only at about 120mb/s (I'm expecting 400+). I thought at that point it was just hardware acceleration. Backed up that config but when I restored it no traffic.

And had the gateway up but no traffic like you. I was mucking about with it late last night and can't repeat anything.

I'm looking to overhaul my network as a suitable and more powerful NUC type box has come into my possession. There's an issue there with 2.5 I don't understand and want to use PFSense on it as everything generally just works, but don't really want to put the effort in on 2.4.5.

And like you I'm testing OpnSense. Not getting the same VPN performance though. Generally 15-20% less. Beware of the NordVPN guide - do not follow the guide for dns prefetch suppork and prefetch dns key. It doesn't work!

vMAC · Feb 18, 2021, 2:14 AM

@viragomann
Here is the routes:

I did a packet capture, but how can I tell if it is being properly routed? If you want me to post or DM let me know, I can do that. It's trivial to get a new IP address generated from my ISP, so I'm not to worried about that.

viragomann · Feb 18, 2021, 11:20 AM

@vmac said in VPN up Gateway up - No Internet:

I did a packet capture, but how can I tell if it is being properly routed?

Go to packet capture, select the NordVPN interface and set the protocol filter to ICMP and enter 8.8.8.8 at host and hit start. Than go to a devices out of the VPN group and do a ping to 8.8.8.8. Check if the ping is working. Then stop the capture and check the result.
If the policy routing and NAT are working well you should see ICMP requests from your virtual VPN IP to 8.8.8.8 and replies coming back.

You can find your virtual IP in Status > OpenVPN:

senseCanuck · Feb 19, 2021, 2:47 PM

@viragomann I don't see the ICMP replies in my capture (only sends).

My config hasn't been touched since upgrading to 2.5.0.
Under Status -> Gateways my VPN shows offline even with 1.1.1.1 as the monitor
Under Status -> OpenVPN the status shows up and I get an IP
I have some selective DNS (I don't use the DNS resolver for my VPN interface) but I'm assuming that would be irrelevant to the ICMP test?

NAT -> Outbound - If I disable the highlighted rule I get internet (bypasses my VPN). Which I find interesting because it means my NO_WAN_EGRESS tagging doesn't work.

Rules -> LAN - I always see 0/0 B on this one.

viragomann · Feb 19, 2021, 3:07 PM

@sensecanuck said in VPN up Gateway up - No Internet:

I don't see the ICMP replies in my capture (only sends).

And what is the source address? I explained above how to check. Since you don't provide the infos, I can't verify.

Pinging an IP doesn't need DNS. You must see response packets. If not either the source IP isn't correct (from outbound NAT) or it is something wrong at the VPN provider.

There are other threads relating to outbound NAT on 2.5, but I did not go in.
Maybe it helps to switch the outbound NAT into another mode and back again or drop the rule and add it again.

senseCanuck · Feb 19, 2021, 4:36 PM

@viragomann

Recreating the NAT rule didn't make a difference.

The pings are coming from the virtual address but I don't get returns

11:34:33.915913 IP 10.8.3.5 > 8.8.8.8: ICMP echo request, id 28931, seq 601, length 40
I can also see a number of non-ICMP request being sent out (again, no returns).

My gateway always shows down, whether I monitor 1.1.1.1 or 8.8.8.8 (don't know if that makes a difference).

senseCanuck · Feb 19, 2021, 6:46 PM

Update

The gateway now shows up with the default monitor port, but still no internet.

senseCanuck · Feb 21, 2021, 1:50 PM

Solved in this thread by disabling Data Encryption Negotiation.
https://forum.netgate.com/topic/161040/openvpn-client-showing-100-packetloss-following-2-5-0-upgrade/10