Enabling OpenVPN Server Results in every-other connection failing
-
Hello,
I have a strange problem. I have my pfSense (2.3.1_1) box configured as an OpenVPN Client and```
redirect-gateway def1Interface OpenVPN
protocol any
source network 172.30.0./24 (my LAN)
destination any
Translation address: interface address.This works as expected, the other side of the VPN receives traffic NAT'd with the client IP of the OpenVPN client tunnel. I also want to allow myself to Dial-IN VPN to my network; I have configured OpenVPN server etc. When I enable the OpenVPN Server in the pfSense GUI, every-other outbound connection fails from machines on the LAN. I have run a traffic capture on the firewall on the OpenVPN client interface and I see that each new outbound connection's source IP address is alternating between the correct IP and the IP address of the Dial-In Open VPN Tunnel network.
18:33:34.459329 IP 172.30.1.66 > 8.8.4.4: ICMP echo request, id 14954, seq 1, length 64
18:33:34.486450 IP 8.8.4.4 > 172.30.1.66: ICMP echo reply, id 14954, seq 1, length 64- I Press ctrl+C on the ping and re-run the ping command
18:33:35.498971 IP 192.168.48.1 > 8.8.4.4: ICMP echo request, id 43822, seq 1, length 64
18:33:37.787437 IP 192.168.48.1 > 8.8.4.4: ICMP echo request, id 33652, seq 1, length 64 - I Press ctrl+C on the ping and re-run the ping command
18:33:39.306957 IP 172.30.1.66 > 8.8.4.4: ICMP echo request, id 25940, seq 1, length 64
18:33:39.333662 IP 8.8.4.4 > 172.30.1.66: ICMP echo reply, id 25940, seq 1, length 64
I am very confused as to why enabling the server affects my outbound NAT at all? Unless I've completely misinterpreted the behavior? Help! Thanks, Rob
- I Press ctrl+C on the ping and re-run the ping command
-
I have the NAT in hybrid mode with one additional rule to the automatics which is :
Interface OpenVPN protocol any source network 172.30.0./24 (my LAN) destination any Translation address: interface address.
This works as expected, the other side of the VPN receives traffic NAT'd with the client IP of the OpenVPN client tunnel.
When I enable the OpenVPN Server in the pfSense GUI, every-other outbound connection fails from machines on the LAN. I have run a traffic capture on the firewall on the OpenVPN client interface and I see that each new outbound connection's source IP address is alternating between the correct IP and the IP address of the Dial-In Open VPN Tunnel network.
If you're running an openvpn client and server together you have 2 virtual openvpn interfaces which are handled as an interface group by pfSense. So the outbound NAT rule you've configured above alternates the interface addresses in a round robin manner.
To solve, you've to assigns an interface to each, client and server (Interfaces > assign). Then use the clients interface in the outbound NAT rule.
-
Hello,
To solve, you've to assigns an interface to each, client and server (Interfaces > assign). Then use the clients interface in the outbound NAT rule.
Thanks, I'll try that in a minute!
I had a feeling it might be something similiar to this; it seems strange to me that it would NAT onto the wrong interface? I appreciate that there are 2 'rules' but I would expect the "interface address" rule to apply to that instance of the openvpn interface, rather than "all openvpn interfaces" as it were? I can't see a use case for this behaviour at the moment (I'm probably missing something).
Thanks again
-
Just as an update; this has fixed it. I assigned interfaces for all the different varieties of OpenVPN (dial-in, clients) and created explicit NAT rules for them, and voila it works. Thanks viragomann