OpenVPN works for initial connection, then fails after. Reboot fixes it.
-
So I have a strange issue, and I'm at a loss as to why. There's something getting blocked I think to the OpenVPN server I have running, but I can't figure out what. I have an OpenVPN server running on port 1206, and clients can connect successfully at first. Even if they disconnect, then quickly reconnect. But, after several minutes, they are no longer able to connect. The OpenVPN client just times out. If I reboot the pfSense VM running the OpenVPN server, the clients immediately reconnect.
My network setup is a bit odd, I have ESXi running a pfSense VM, which is behind my primary router. Since my OpenVPN server is running on port 1206, I have a port forwarding rule (UDP) on 1206 where traffic is redirected to the pfSense WAN IP (10.11.12.99).
Do I need other ports forwarded to pfSense for OpenVPN? What if I have multiple clients connecting… wouldn't more ports be used? If so, could that be why pfSense can't be contacted?
-
No. None of those issues apply. You only need the one port forwarded.
You are probably going to need to pcap on pfSense WAN and see if packets continue to arrive on UDP 1206 when the OpenVPN stops working. If not, you'll have to figure out why. If they do, check the OpenVPN logs and see what the problem is there.
My first guess is an IP address conflict between your pfSense WAN address and another device in your network/virtual environment. That's a typical cause for "works a short time, then stops, then works again for a short while after I reboot" trouble descriptions.
-
I've been tinkering, currently trying to either force all client traffic through the tunnel, or with manual outbound NAT rules. My pfSense WAN IP isn't conflicting with any other devices, that I'm confident about.
I did a packet capture, and it appears that packets are incoming on port 1206, but they never seem to make it to OpenVPN. Would that be the case if outbound NAT is failing? Will OpenVPN not show any traffic if incoming traffic is working, but not outbound?
-
If you are receiving the traffic on the OpenVPN port, look at the OpenVPN logs.
-
Here's a diagram of what I'm trying to accomplish. I'm not convinced it's the best way to go, so open to suggestions.
Goal: Create multiple "demo" networks that have the same network space, as I'm cloning VMs between then. This way I can give individual users their own sandbox and VPN connection. I'm running pfSense as a VM behind an existing network, so essentially I'm port forwarding the OpenVPN UDP port through a router then a hardware pfSense.
Doing this works, at least at first. I can give a user a VPN config that points them to our WAN IP, using port 1201. They can at first tunnel through to their own LAN and have it successful. Multiple disconnects and reconnects work, but then stop for some reason. If I reboot the Demo Firewall (pfSense VM), then the VPN comes back up right away.
If I do a PCAP on both firewalls, I see packets on the first firewall, but nothing gets through to the Demo Firewall.
06:37:08.715675 IP <wan ip="">.55264 > 192.168.1.199.1201: UDP, length 42</wan>EDIT: After ~18 minutes, the VPN re-connects itself. Nothing has changed, I just let it sit and retry every 60 seconds. Very strange….
-
any news on this even tho it's an old thread? I had exactly the same issue right now…. And I cannot get it working.
On my old network it was working great without issues.
-
This is an old thread…. I don't recall what the fix was unfortunately. I was able to get this setup to work. I put individual pfSense instances on their own static WAN IP, which was itself on an internal network. I had to double NAT the IP/ports, but was able to get the OpenVPN instances to work.
It was kind of a wonky setup, but I recall it being just as simple as forwarding the proper IPs through the firewalls. Just need a single UDP port to each pfSense instance IP.
-
Sad to hear.. I also created a new thread. I am honestly ripping my own hair out right now…...
-
Have you checked NTP? I see a note I have about that, but not sure if it's related. Maybe a time drift causing issues.
-
Have you checked NTP? I see a note I have about that, but not sure if it's related. Maybe a time drift causing issues.
Yea… This is the error I get (after trying to reconnecting)
Warning: route gateway is not reachable on any active network adapters: 172.16.0.1When connection first time it works fine tho...
