OpenVPN doesn't seem to get any inbound packets

  • OK, I'm pulling my hair out. My OpenVPN server used to work great back on version 2.1.5, but quit working a couple of updates ago. Wasn't a big deal then, but now I need it back online.  I'm no expert on this, so I figured I'd start from ground zero.

    I completely deleted the old OpenVPN Server, and all the certs, and deleted the rules from the firewall.

    Then I ran the Wizard and went through all the steps. I use Viscosity on Windows on the client machine, and grabbed the Viscosity Bundle from the client export utility. Imported it on the client, no issues.

    Start the client, and nothing. Same problem as before. I check the fw logs, and I find my inbound packets from the client are getting blocked. The wizard auto generated a WAN rule. I checked it, and changed the Source interface from WAN to ANY. Now packets from the client are getting passed, but there is no response, and nothing shows up in OpenVPN log. I tried bumping the verbosity level up, and other then the normal housekeeping stuff, there was nothing to indicate that the packets were making it to the OpenVPN server process.

    I'm running pfSense 2.3.2-Release
    Outbound NAT mode is set to Automatic outbound NAT rule generation.  My tunnel network block is shown in the automatically generated outbound NAT rules.

    So the WAN rule seems to be fine.
    The OpenVPN fw rules seem ok, allowing ipv4 UDP traffic on the proper port.

    I compared my rules on this server to an older system that still works on 2.1.5. I don't see what I'm missing?

    Any help would be appreciated!!

  • LAYER 8 Global Moderator

    Setting rules on wan dest to ANY would like never really be a good idea..

    So when wizard creates the firewalls would be put on the bottom, what rules do you have on top of that which might block the traffic before it gets to the openvpn rule?  Are you running pfblocker or snort or etc?

    Do you have any rules in floating?

    I use openvpn inbound pretty much every single day, have never had any issues running through upgrades and still openvpn works, etc.

    Your actually coming from the outside right - your not trying to check your openvpn connection via some nat reflection are you - ie your client is actually outside pfsense, and the client config points to your wan public IP right.  Pfsense is not behind a nat??

  • There are no rules in floating.

    I've also tried moving the rule up to the top, but just below the rules for private and bogon nets.

    The client is on an outside IP address, and the pfsense box is directly connected to the internet.

    Just to verify, the fw entries required are:

    WAN, pass UDP to the port used by the OpenVPN server
    OpenVPN, pass UDP on the port used by the OpenVPN server

    Outbound NAT rule is automatic, based on mode setting (Automatic outbound NAT rule generation)

    I just don't see what the issue is. I can see in the log that the packets are hitting the fw and being passed. Yet OPVN server never shows any indication that it's seen anything. No user auth attempt, nothing.

    Aug 19 11:32:43 fw filterlog: 95,16777216,,1471576353,msk0,match,pass,in,4,0x58,,119,20818,0,none,17,udp,70,166.170.xx.x,,49676,64194,50

    PS: I am running Snort, but have shut it down for testing purposes. Doesn't have any effect. Client never gets a TLS handshake.

  • I found it! For some reason, I had a 1:1 NAT entry pointing the 1st IP of my external address block to the internal IP address of the pfsense box. This kills it of course.

Log in to reply