Cannot go on Internet from my remote location over vpn connection
Many information exists on this forum and Internet but I just can't filter out the solution for me.
It's quite simple. I just installed pfSense and configured OpenVPN server on it. I downloaded the client with the "Client Export" tool and installed it on my laptop (Windows). Nothing more.
Everything works fine except one thing. When I use my client on the Windows laptop on a remote location and I am connected successfully to my pfSense box at home, I cannot go on Internet. I can rdp to a desktop pc at home and go on Internet via that way though. But why can I not just open a browser at my remote location and throw my http requests through the tunnel and get my page on my browser? I'd like to go on 'what is my ip' and see the public IP address from my home. Do I have to tweak my nat and rule settings? Till now I just have "auto created" nat rules and firewall rules. Didn't touched that part yet. Should I learn more about PIA? I saw an explanation about giving your OpenVPN an interface (OPT1).
Also I can find much info about site-to-site vpn's but that is not my setup here. I have one pfSense at home and want to connect to it through OpenVPN client and go on Internet.
Thanks for the support.
Do you've checked "Redirect gateway" in the OpenVPN server settings?
You also need an NAT rule for the VPN subnet. Firewall > NAT > Outbound
If you've used the wizard for setup it will have done this automatically.
Thanks for the reply viragomann.
Yes, "Redirect gateway" is checked.
And indeed I used the wizard. So I have the automatically created NAT rules.
But still no browsing from my client from a remote location. Neither from my mobile btw (I also installed a client on my phone).
Http traffic is not returned. Any other idea?
I am reading that pfSense book. I just started to read the OpenVPN part and it's saying that OpenVPN interfaces may be assigned under 'Interfaces'. Assigning an OpenVPN interface will let me create interface-specific rules. I am diving into that now. I'll post it if I had any success with this.
Possibly there is no "allow" rulel on the openvpn interface in the firewall?
I have this automatically created rule for OpenVPN.
Seems to be what you are referring to I think.
Assigning an interface to the vpn server or client on pfSense is only needed if you run multiple vpn instances.
Please post the routing table of the client when connection is established.
Ok thanks for the elaboration. I wont assign an interface to my vpn server then, as I don't run multiple vpn instances.
Here is a screenshot from my clients ipconfig and routing table.
I can't see any cause for that issue.
Are you able to access the DNS? Try an internet host with its IP for testing, e.g. http://188.8.131.52
If that isn't the problem I'd suggest to go to troubleshooting. Take a packet capture (Diagnostic > Packet capture) from the OpenVPN and the WAN interface while you try to access a Web host, limited to source or dest IP or port.
I went to http://184.108.40.206 without success (see screenshot). It is saying 'Yahoo' in the tab of IE though. But the page stays empty.
After that I went to the Packet Capture feature. I started a capture first from the OpenVPN and then the WAN interface with a filter on the Ip address you just suggested to go to (220.127.116.11). As we now know it is not dns I just refreshed the IE page and went to the site via ip address.
I don't really see a problem in the Wireshark output. But I am not a pro so I probably oversee things.
Probably not enough, but I added screenshots of Wireshark output.
About time to post alll of your firewall rules.
Here are all my rules. For the moment all have been created automatically.
We may not have found the solution yet but thanks both of you for the replies and suggestions.
So the pfsense(8^).PNG is taken form WAN with hidden WAN address and pfsense(9).PNG is from OpenVPN, I assume.
Everything there is looking all right. You get response from the webserver to the client on the OpenVPN interface, but IE doesn't load the page. So your pfSense firewall rules will be okay.
Strange behaviour. Can you test that with another browser or try a ping from the client?
STOP searching for the answer. I don't know why yet but with my mobile it works now.
When I go on Internet with my Android phone after I connected with the OpenVPN app, I can go to https://www.whatismyip.com/ and see the public IP of my pfSense box. So I guess it's ok and that something on my corporate laptop is blocking. I am not on the corporate network though. I have a connection to a modem to bypass the firewall and to do tests for work. So no firewall on my remote location. My proxy settings in my browser are also set to "automatically detect". I didn't forget that one. But still I can't see the webpages I request.
So now I am deep ashamed for all the time you two spent in reading my reactions and viewing my screenshots. Sorry…
Do you have admin rights to that laptop or is your account a user account and not admin privileges?
It works also on my corporate laptop now.
First, Kejianshi, to answer your question: I have more rights than 'normal' users, but I am not full admin. Certain things like disabling anti-virus is not possible. But that was not the problem.
My home router (the pfSense) his local IP is 192.168.1.1. Classic. But the local IP of the modem I used on my remote location was also 192.168.1.1. The last one I changed to 192.168.0.1. And now when connected through OpenVPN I can open my webbrowser, go on whatismyip and see the public IP adress from home.
So when I had the problem I assume that when I opened my webbrowser and tried to go on Internet the traffic got confused somewhere when coming back to my laptop at the remote location.
Yep - Very common affliction. Its a good idea to go with the 192.168.x.x - for both the Xs pick a random number between 2 and 254 or so.
The reason I asked about admin rights its because its always a good idea to right click the install icon for openvpn and run as admin - and then always run the program as admin after from then on. Saves lots of grief.
Anyway - Sounds like you already have it worked out. Enjoy.