Open VPN NAT driving me crazy



  • Hi pfSense Gurus,

    either i am doing something very obvious wrong or i just dont get it.
    I have pfsense 2.3.2-Release running in VMWARE. 2 Physical NICs in Bridge Mode to their corresponding LAN segments attached. (separated in vmnet0 and vmnet 1)
    1 for LAN to my Internal Network, 1 for WAN to my "external" Segment. I can ping my LAN Clients and the default Gateway on WAN side - so i figured the basis setup is more or less correct.

    Now i am trying to use pfSense as OpenVPN Client to policy route some of my internal Clients into the VPN Tunnel.
    Interface + Gateway for VPN is created and green.

    Topology:

    States seem to indicate no return traffic

    Outbound NAT:

    LAN FW Rule:

    OpenVPN Client diagnostics show the tunnel as connect but i am unable to send any traffic across the link. State seems to see no return traffic.
    Strangly, tcpdump on the openvpn interface only shows ARP traffic inside the tunnel.

    I would be very grateful for any hints or clues as on how to solve this.

    Cheers
    Chris


  • LAYER 8 Global Moderator

    from your state table sure looks like traffic went out the tunnel for 8.8.8.8, but you just didn't get any answer..

    So your saying when you sniff on openvpn interface you see no traffic?  You sure the connection is up and working?  I tried and duplicate your problem and works clickity clickity out of the box.  You sure that you can talk to 8.8.8.8 on udp 53 from the end of your vpn tunnel?

    So I have vpn connection to one of my vps, I leave it up for this sort of troubleshooting.  So I created a policy route to send traffic going from my box 192.168.9.100 to 8.8.8.8 to go down the tunnel.

    As you see get a response from my dns query.

    
    > dig @8.8.8.8 www.google.com
    
    ; <<>> DiG 9.10.4-P2 <<>> @8.8.8.8 www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31905
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A
    
    ;; ANSWER SECTION:
    www.google.com.         299     IN      A       172.217.4.132
    
    ;; Query time: 120 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Mon Aug 29 13:50:29 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 59
    
    

    If I sniff on the vpn interface I see the traffic go out and the response come back.
    If I look at the states I see that there is an answer to the state, etc.

    I don't see anything that is jumping out as wrong, other than curious why your setting static port on your nat?  That really shouldn't be a problem but I don't see why you would need/want that?  I would just do hybrid outbound on your nat that way if you add any more interfaces the nat would auto happen for them, etc.

    You should see the traffic in your tunnel.  Start a sniff in the tunnel for your dest IP, start the sniff and then generate some traffic.. If your logging everything in the tunnel maybe your hitting the 100 packet limit and just not catching the traffic.  But from what I see looks like your just not an answer to what your sending down the tunnel.






  • thank you! It was indeed the Tunnel itself having a problem. Apparently i had to check "dont add routes" in the Client config. It was generating errors i did not notice previously, while the client was connect the route add failed:

    Aug 29 21:26:17 openvpn 65098 /sbin/route add -net 0.0.0.0 10.10.10.1 128.0.0.0
    Aug 29 21:26:17 openvpn 65098 ERROR: FreeBSD route add command failed: external program exited with error status: 1

    After that i had to switch from tun to tap, which solved the issue. (even tho ibVPN states in the pfsense tutorial that one should use  TUN)


  • LAYER 8 Global Moderator

    Why would you be using TAP.. That is not what you should be using..



  • honestly, i am puzzled by that as well.
    I am aware of the differences between TUN and TAP (i.e layer3 only vs. layer2/bridge), however it nagged me that i was seeing ARP requests on ovpnc1 from the Tunnel Endpoint.

    ovpnc1=10.10.10.8
    Endpoint=10.10.10.1

    ARP, Request who-has 10.10.10.8 tell 10.10.10.1, length 28

    In TUN Mode the ovpnc1 is configured with NOARP, hence it never replied. Now in TAP mode it is replying and traffic is working.


  • LAYER 8 Global Moderator

    where did you set no arp?  What are you trying to arp too?  So you want/need a L2 vs L3 connection?



  • i did not set NOARP -  but as far as i know TUN interfaces in OpenVPN have NOARP per default and i guess it is inherited to the OVPNC1. Please correct me if i am mistaken here.

    I use iBVPN (www.ibvpn.com) as VPN Provider for Netflix, it seems in all their .ovpn Config files they use "TAP" instead of "TUN. However in their pfSense Tutorial they wrote to use "TUN" which is probably wrong for their topology…

    10.10.10.1 is the Gateway on their side. 10.10.10.8 is my Tunnelside. 10.10.10.1 was arping 10.10.10.8.


  • LAYER 8 Global Moderator

    Well if the provider uses tap then yeah you would have to use tap as well.. That is pretty shitty setup for a vpn provider if you ask me.. What would be the point of using tap???  That blows my mind.

    If you were seeing arps from their side then yeah they using tap..  Why have no idea??  If you look on your interface in pfsense for your vpn interface yeah it would be in pointopoint mode.. Which wouldn't be arping, etc.  When you mentioned no arp though you had set that somewhere, I don't recall ever seeing such a setting anywhere in pfsense ;)

    freebsd ifconfig for vpn interface doesn't list the noarp option set.  But you you shouldn't really be seeing arp over tun.. What is the point?  Traffic is just sent down the tunnel why should you have to arp for the other end?



  • The only reason I can think of for using TAP is that it allows broadcast/multicast based services to work over the tunnel, for example mDNS.


  • LAYER 8 Global Moderator

    That is something you might want from a roadwarrior vpn into your own network.. Not for a vpn designed to hide your traffic from your isp/local network, the IP your coming from to the sites your going to, and circumvent geographic restrictions.

    For what possible point would you need L2 connectivity to some vpn service??  Completely utterly broken!!!  Who/What would you be broadcasting for?


Log in to reply