Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Server Behind NAT being blocked by Firewall Rule

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 710 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PreImmortal
      last edited by

      Hi all,

      I am trying to set up an OpenVPN server behind another router. Setup looks something like this:
      [Internet] <-> [Router] <-> [PFSense]

      The [Router] has the VPN port port-forwarded, so a connection can be established from outside the network.

      I have tested the VPN connection from the [Router] network into the [PFSense] network and it is working fine (has internet access and internal network access).

      When I access the VPN server from the internet, I am able to establish a connection. However, all outbound traffic is being blocked by a firewall rule for an interface that is setup for a client VPN connection.

      The OpenVPN log says this:
      client/123.123.123.123:12345 write TCPv4_SERVER: Permission denied (code=13)

      I checked the firewall log to see why this is occuring:
      Apr 21 16:29:11 ► CLIENT_VPN Default deny rule IPv4 (1000000104) 192.168.0.100:1194 123.123.123.123:12345 TCP:FPA

      In this case, 192.168.0.100:1194 would be the WAN address for my pfsense box and 123.123.123.123:12345 would be the client trying to access the VPN. The CLIENT_VPN is a client VPN connection that is being used for other outbound traffic. I would have expected the OpenVPN Server to use the default gateway, which is WAN.

      I reviewed my firewall rules and tried to set up some rules to force all outbound traffic to use the WAN gateway and also set up the Outbound NAT for the OpenVPN Server:

      62ecab3e-4073-421e-8287-b666ec2af8d7-image.png

      115a2df9-ef9a-4a83-8b2a-936d4e7e526f-image.png

      I tried to set up policy based routing documented here:
      https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html

      However, my attempt to force the OpenVPN to use the WAN interface didn't work. Any help on this would be appreciated.

      Thanks,
      -D

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @PreImmortal
        last edited by

        @preimmortal said in OpenVPN Server Behind NAT being blocked by Firewall Rule:

        I checked the firewall log to see why this is occuring:
        Apr 21 16:29:11 ► CLIENT_VPN Default deny rule IPv4 (1000000104) 192.168.0.100:1194 123.123.123.123:12345 TCP:FPA
        In this case, 192.168.0.100:1194 would be the WAN address for my pfsense box and 123.123.123.123:12345 would be the client trying to access the VPN. The CLIENT_VPN is a client VPN connection that is being used for other outbound traffic. I would have expected the OpenVPN Server to use the default gateway, which is WAN

        Basically respond packets are routed accordingly to the routing table if the incoming interface of the requests is unclear.
        I suspect that the other client connection set the default route, presumably pushed by the server.

        I reviewed my firewall rules and tried to set up some rules to force all outbound traffic to use the WAN gateway and also set up the Outbound NAT for the OpenVPN Server:

        Outbound NAT rules have no affect on respond packets.

        I tried to set up policy based routing documented here:

        Not clear what you aim to achieve with that in this case.

        Simply ensure that there is a firewall rule on the WAN interface allowing the OpenVPN access on port 1194, ensure that there is no floating rule or interface group rule matching this traffic.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.