Enabling OpenVPN Server Results in every-other connection failing



  • Hello,

    I have a strange problem. I have my pfSense (2.3.1_1) box configured as an OpenVPN Client and```
    redirect-gateway def1

    
    

    Interface OpenVPN
    protocol any
    source network 172.30.0./24 (my LAN)
    destination any
    Translation address: interface address.

    
    This works as expected, the other side of the VPN receives traffic NAT'd with the client IP of the OpenVPN client tunnel.
    
    I also want to allow myself to Dial-IN VPN to my network; I have configured OpenVPN server etc.
    
    When I enable the OpenVPN Server in the pfSense GUI, every-other outbound connection fails from machines on the LAN. I have run a traffic capture on the firewall on the OpenVPN client interface and I see that each new outbound connection's source IP address is alternating between the correct IP and the IP address of the Dial-In Open VPN Tunnel network.
    
    

    18:33:34.459329 IP 172.30.1.66 > 8.8.4.4: ICMP echo request, id 14954, seq 1, length 64
    18:33:34.486450 IP 8.8.4.4 > 172.30.1.66: ICMP echo reply, id 14954, seq 1, length 64

    • I Press ctrl+C on the ping and re-run the ping command
      18:33:35.498971 IP 192.168.48.1 > 8.8.4.4: ICMP echo request, id 43822, seq 1, length 64
      18:33:37.787437 IP 192.168.48.1 > 8.8.4.4: ICMP echo request, id 33652, seq 1, length 64
    • I Press ctrl+C on the ping and re-run the ping command
      18:33:39.306957 IP 172.30.1.66 > 8.8.4.4: ICMP echo request, id 25940, seq 1, length 64
      18:33:39.333662 IP 8.8.4.4 > 172.30.1.66: ICMP echo reply, id 25940, seq 1, length 64
    
    I am very confused as to why enabling the server affects my outbound NAT at all? Unless I've completely misinterpreted the behavior?
    
    Help!
    Thanks,
    Rob


  • @RobEmery:

    I have the NAT in hybrid mode with one additional rule to the automatics which is :

    
    Interface OpenVPN
    protocol any
    source network 172.30.0./24 (my LAN)
    destination any
    Translation address: interface address. 
    
    

    This works as expected, the other side of the VPN receives traffic NAT'd with the client IP of the OpenVPN client tunnel.

    When I enable the OpenVPN Server in the pfSense GUI, every-other outbound connection fails from machines on the LAN. I have run a traffic capture on the firewall on the OpenVPN client interface and I see that each new outbound connection's source IP address is alternating between the correct IP and the IP address of the Dial-In Open VPN Tunnel network.

    If you're running an openvpn client and server together you have 2 virtual openvpn interfaces which are handled as an interface group by pfSense. So the outbound NAT rule you've configured above alternates the interface addresses in a round robin manner.

    To solve, you've to assigns an interface to each, client and server (Interfaces > assign). Then use the clients interface in the outbound NAT rule.



  • Hello,

    @viragomann:

    To solve, you've to assigns an interface to each, client and server (Interfaces > assign). Then use the clients interface in the outbound NAT rule.

    Thanks, I'll try that in a minute!

    I had a feeling it might be something similiar to this; it seems strange to me that it would NAT onto the wrong interface? I appreciate that there are 2 'rules' but I would expect the "interface address" rule to apply to that instance of the openvpn interface, rather than "all openvpn interfaces" as it were? I can't see a use case for this behaviour at the moment (I'm probably missing something).

    Thanks again



  • Just as an update; this has fixed it. I assigned interfaces for all the different varieties of OpenVPN (dial-in, clients) and created explicit NAT rules for them, and voila it works. Thanks viragomann