OpenVPN clients can't ping LAN

jacobisreal · Mar 2, 2021, 6:40 PM

@marvosa Updated OPT1 protocol to any:
login-to-view

jacobisreal · Mar 2, 2021, 6:46 PM

@marvosa said in OpenVPN clients can't ping LAN:

I've temporarily disabled the firewall on the LAN server 10.116.0.2 and there is no gateway defined on it because Digital Ocean doesn't require a gateway for VPC networks. It's an Ubuntu 20.04 server, here's the netplan:>

There's your issue. In order for 10.116.0.2 to reach a network outside of it's LAN subnet (e.g. the OpenVPN tunnel network), there has to be a default gateway set. Configure the gateway to the PFsense LAN IP.

Any device you want to reach over OpenVPN will need PFsense as its gateway.

I can't set the gateway on that server - it's a private VPC (virtual network) inside Digital Ocean's network. The address 10.116.0.2 is the address they assigned the box on the private VPC on their side. I've read several articles that state I need a NAT rule to access that box - here's the post I read:
https://mohsensy.github.io/sysadmin/2019/06/21/secure-access-to-digital-ocean-resources-using-openvpn.html
And:
https://forum.netgate.com/topic/63243/openvpn-server-openvpn-client-and-nat/2?_=1614660188717

Digital Ocean support docs state that there must be iptables rules, but pfSense doesn't use iptables - see:
https://www.digitalocean.com/docs/networking/vpc/resources/droplet-as-gateway/

jacobisreal · Mar 2, 2021, 6:51 PM

Can you guys please take a look at their documentation? Here's the link:

https://www.digitalocean.com/docs/networking/vpc/resources/droplet-as-gateway/

It doesn't make any sense to me... If pfSense already is configured out-of-the-box to forward, and NAT rules are automatic, then this should just work. I'm pretty smart, I've tried all kinds of configurations, re-imaged the box and tried again all night. There has to be some kind of NAT I'm missing per their documentation. Ahh! :) Thank you for all your help, friends!

viragomann · Mar 2, 2021, 6:59 PM

@jacobisreal
So you can only go with masquerading. However, I'd not recommend that for multiple VPN users.

To activate it, go to Firewall > NAT > Outbound. If it is still in automatic mode, switch to hybrid and save that.

Add a new rule:
interface: LAN
protocol: any
sourec: any
destination: any
Translation: interface address

Dirty, but may work.

jacobisreal · Mar 2, 2021, 7:10 PM

@viragomann Like this:
login-to-view

marvosa · Mar 2, 2021, 7:32 PM

It's possible I'm reading this wrong, but the way I see it... in order to make this work, you will need to deploy the "Network with Internet Gateway" model. PFsense is your gateway droplet and all VPC's on the LAN will need PFsense set as the default gateway.

The examples they've shown are for configuring Ubuntu/Debian/Centos droplets as an internet gateway by enabling routing, NAT and configuring the firewall (iptables).

Even if you configured OpenVPN on a properly configured Ubuntu droplet, the other devices on the network would still need their gateway set to the Ubuntu LAN IP in order to be reachable over the tunnel.

It appears that the "Configure Backend Droplets" section should be reviewed in order to add a default route to your VPC's. I'm assuming "droplets" refers to VPC's... or am I misreading what they're describing as a "droplet"?

Fingers crossed for @viragomann's suggestion though.

jacobisreal · Mar 2, 2021, 7:13 PM

@viragomann Also, take a look at the OpenVPN server config, I still have redirect traffic over IPv4 so I can't enter the local network... should I remove the check and enter the LAN address 10.116.0.0/20 ??
login-to-view

jacobisreal · Mar 2, 2021, 7:17 PM

@marvosa said in OpenVPN clients can't ping LAN:

It's possible I'm reading this wrong, but the way I see it... in order to make this work, you will need to deploy the "Network with Internet Gateway" model. PFsense is your gateway droplet and all VPC's on the LAN will need PFsense set as the default gateway.

The examples they've shown are for configuring Ubuntu/Debian/Centos droplets as an internet gateway by enabling routing, NAT and configuring the firewall (iptables).

Even if you configured OpenVPN on a properly configured Ubuntu droplet, the other devices on the network would still need their gateway set to the Ubuntu LAN IP in order to be reachable over the tunnel.

It appears that the "Configure Backend Droplets" should be reviewed in order to add a default route. I'm assuming "droplets" refers to VPC's... or am I misreading what they're describing as a "droplet"?

"Droplet" is the term Digital Ocean uses for a virtual machine. A "droplet" has a public IP address and a VPC (or virtual private network) address. In my case, my VPC network is 10.116.0.0/20. The OpenVPN server on pfSense has the WAN address and I configured the LAN address as the VPC address, 10.116.0.3. The server I'm trying to reach on the VPC LAN is 10.116.0.2, but I can't get to it for anything. I'm re-exporting the client config and trying all of your suggestions again... Here goes!

viragomann · Mar 2, 2021, 7:22 PM

@jacobisreal said in OpenVPN clients can't ping LAN:

Also, take a look at the OpenVPN server config, I still have redirect traffic over IPv4 so I can't enter the local network... should I remove the check and enter the LAN address 10.116.0.0/20 ??

This directs the whole upstream traffic from the VPN client over the VPN. This aims to access internet resources with the public IP of the VPC.
If you don't need this uncheck redirect gateway and enter the VPC LAN network into the "Local networks" box.

jacobisreal · Mar 2, 2021, 7:24 PM

@marvosa @viragomann YOU FUKN GENIOUSES! Take a look...
I dunno if it was the NAT masquerade, the change in the OpenVPN tunnel, or what but it's working now!

PING 10.116.0.2 (10.116.0.2) from 172.28.32.1: 56 data bytes
64 bytes from 10.116.0.2: icmp_seq=0 ttl=64 time=1.918 ms
64 bytes from 10.116.0.2: icmp_seq=1 ttl=64 time=0.785 ms
64 bytes from 10.116.0.2: icmp_seq=2 ttl=64 time=0.691 ms

--- 10.116.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.691/1.131/1.918/0.558 ms

AND I can ping from local machine (OpenVPN client) to the other VPC box now:

ping 10.116.0.3
PING 10.116.0.3 (10.116.0.3) 56(84) bytes of data.
64 bytes from 10.116.0.3: icmp_seq=1 ttl=64 time=45.5 ms
64 bytes from 10.116.0.3: icmp_seq=2 ttl=64 time=46.3 ms
64 bytes from 10.116.0.3: icmp_seq=3 ttl=64 time=50.4 ms
^C
--- 10.116.0.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 45.501/47.382/50.382/2.143 ms

What do you think the root cause was and why did all these suggestions work? Could it be the NAT rule?

jacobisreal · Mar 2, 2021, 7:26 PM

@viragomann said in OpenVPN clients can't ping LAN:

@jacobisreal said in OpenVPN clients can't ping LAN:

Also, take a look at the OpenVPN server config, I still have redirect traffic over IPv4 so I can't enter the local network... should I remove the check and enter the LAN address 10.116.0.0/20 ??

This directs the whole upstream traffic from the VPN client over the VPN. This aims to access internet resources with the public IP of the VPC.
If you don't need this uncheck redirect gateway and enter the VPC LAN network into the "Local networks" box.

Yeah, I don't want these users using the internet really. We're a non-profit and my next issue will be locking down internet access to only approved internet URLs. So, I should keep it like that right?? And, next question, how do I filter the web addresses the OpenVPN client can view? I want a nice "YOUR BLOCKED" page too! lol

Y'all are awesome, you've got this Texas dude freaking out. Wow. This forum is awesome and YOU GUYS are GR8!!!! THANK U

jacobisreal · Mar 2, 2021, 7:29 PM

I'm taking a snapshot of this box right away! You guys are literal lifesavers, I nnnneeeeedddd sleep!

jacobisreal · Mar 2, 2021, 7:31 PM

@viragomann This freaking worked.... Thanks!! Now, does this setup cause any security vulnerabilities or are we good?

viragomann · Mar 2, 2021, 7:38 PM

@jacobisreal said in OpenVPN clients can't ping LAN:

What do you think the root cause was and why did all these suggestions work? Could it be the NAT rule?

It's the NAT.

If you have no gateway on the remote device it cannot response to requests from outside of its own subnets (no route to host failure). The masqerading tranlates the source address in packets into the pfSense LAN interface IP, so its in the LAN subnet and its well done.

But as I stated, it's a dirty solution. But seems to bo the only one in your case.

viragomann · Mar 2, 2021, 7:41 PM

@jacobisreal said in OpenVPN clients can't ping LAN:

Now, does this setup cause any security vulnerabilities or are we good?

The drawback of this is that you're not able to determine the origin source on the destination device. However, since the only way into the network is over the VPN you have full control over it.

jacobisreal · Mar 2, 2021, 7:43 PM

@viragomann Yeah, everything I read about this cloud provider said I MUST use NAT for this. Now that your genius minds have resolved that, can you maybe help with:

How can I automate the OpenVPN client config download for the user? In other words, if I create the user, is there a way to make it so pfSense will allow them to download their .ovpn file if they, like maybe login to the pfSense WAN ip? Something to make config of the clients easier. Kind of like OpenVPN Access server but without paying a license fee?
How can I lock down the pfSense admin GUI so that only MY public IP can access it, ie from my home ISP (Comcast)?

I really, really appreciate you guys, you've saved my non-profit money and me countless hours. Thank you so much!

jacobisreal · Mar 2, 2021, 7:48 PM

@viragomann Those douchebags at Digital Ocean and OpenVPN wanted us to pay for an OpenVPN Access server and pay $75/mo for just ten users! This way, we can really grow and not pay. I had to really freak the config, they don't have an image for pfSense so I had to create a FreeBSD box, then dd a raw image of pfSense over it and in pfSense setup re-create the partitions, etc etc - this has not been easy but now that it works, we're set man. Thank you both so much, I really can't say it enough. Bless you!!

viragomann · Mar 2, 2021, 7:58 PM

@jacobisreal said in OpenVPN clients can't ping LAN:

How can I automate the OpenVPN client config download for the user? In other words, if I create the user, is there a way to make it so pfSense will allow them to download their .ovpn file if they, like maybe login to the pfSense WAN ip? Something to make config of the clients easier.

That was already asked here multiple times. So there are some thread regarding to this topic. I didn't occupy.
pfSense itself has no function for that at all. Maybe there are solutions with additional scripts.

@jacobisreal said in OpenVPN clients can't ping LAN:

How can I lock down the pfSense admin GUI so that only MY public IP can access it, ie from my home ISP (Comcast)?

The GUI should only be accessible from your VPN. To set rule you need a static VPN IP. You can achieve this by Client Specific Override.
If you also want SSH access, generate a key for and assing it to your user.

jacobisreal · Mar 2, 2021, 7:58 PM

@viragomann Could I at least log invalid logins to the OpenVPN server and track the IPs going into the WAN IP on pfSense since it's the entrypoint for the VPN and the LAN? If so, how?

viragomann · Mar 2, 2021, 8:01 PM

@jacobisreal
The logins are also written into the OpenVPN log.
You can send to log to a syslog server for saving them.