OpenVPN not accessible via external networks
-
Hi there,
I'm trying to access my OpenVPN server externally. I can connect to the server on the local network but when I try from my phone using mobile data, it can't connect. I've forwarded 1194 UDP at the modem and the firewall rules were all added by the server
Screenshots of config here http://imgur.com/a/UN26m
client config isdev tun persist-tun persist-key cipher AES-256-CBC auth SHA1 tls-client client resolv-retry infinite remote <ip> 1194 udp verify-x509-name "pfSense-CA" name auth-user-pass pkcs12 pfSense-udp-1194-client1.p12 tls-auth pfSense-udp-1194-client1-tls.key 1 comp-lzo adaptive</ip>server config is
dev ovpns2 verb 3 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh engine rdrand tls-server server 10.8.1.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server2 username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user <removed> false server2 1194" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfSense-CA' 1" lport 1194 management /var/etc/openvpn/server2.sock unix max-clients 10 push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 192.168.0.1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-to-client ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo adaptive persist-remote-ip float topology subnet</removed>Any help appreciated, I'm not a network guy so it may something obvious to ya'll
-
remote <ip>1194 udp</ip>
First make sure the replacement for the <ip>is your public IP (WAN side of the TP-Link) and not the 192.168.0.1 used in your "from local network" example.
You could also type your FQDN here if you use something like a DynDNS Service.Second your WAN configuration shown in that picture (192.168.1.120) is a mismatch to the port-forwarding rule (192.168.0.1:1194). Combined with the assigned Gateway (192.168.0.254) you should'nt even have Internet Connection with that config.
The good news is your ovpn config itself works as you have proven yourself. The Problem here is now just about connectivity.</ip>
-
First make sure the replacement for the <ip>is your public IP (WAN side of the TP-Link) and not the 192.168.0.1 used in your "from local network" example.
You could also type your FQDN here if you use something like a DynDNS Service.</ip>Yep, the IP in the client config is definitely the wan IP.
Second your WAN configuration shown in that picture (192.168.1.120) is a mismatch to the port-forwarding rule (192.168.0.1:1194). Combined with the assigned Gateway (192.168.0.254) you should'nt even have Internet Connection with that config.
The good news is your ovpn config itself works as you have proven yourself. The Problem here is now just about connectivity.
I think you're onto something, the pfSense box is 192.168.0.1 (running DHCP on the LAN interface), the TP-Link router is 192.168.0.254. 192.168.1.120 was a random address I made up for the WAN interface, I can't assign the WAN IP to anything in the 192.168.0.0/24 block as it's already in use. The TP link modem will only port fwd to that subnet.
Internet is working (running OpenVPN client as well).
-
I think you're onto something, the pfSense box is 192.168.0.1 (running DHCP on the LAN interface), the TP-Link router is 192.168.0.254. 192.168.1.120 was a random address I made up for the WAN interface, I can't assign the WAN IP to anything in the 192.168.0.0/24 block as it's already in use. The TP link modem will only port fwd to that subnet.
Internet is working (running OpenVPN client as well).
DHCP on the LAN Interface of the TP-Link? Then the pfsense wan setup "static ipv4" with the 192.168.1.120 makes no sense at all…
Or is the 192.168.0.1 on the pfsense LAN Interface where you run DHCP? If it is like this and the internet connection is up, you need to apply a firewall rule for the LAN Interface too, because the vpn client is forwarded to its address.
-
Or is the 192.168.0.1 on the pfsense LAN Interface where you run DHCP? If it is like this and the internet connection is up, you need to apply a firewall rule for the LAN Interface too, because the vpn client is forwarded to its address.
Correct, DHCP on pfSense.
Here's my LAN firewall rules, http://i.imgur.com/qdrbcdM.png (vpngroup is an alias for an ip range that gets routed through the openvpn client)
Does the second rule allow OpenVPN traffic inbound from the modem?
-
(vpngroup is an alias for an ip range that gets routed through the openvpn client)
Does the second rule allow OpenVPN traffic inbound from the modem?
It allows the traffic through the tunnel when it's established.
You still need to allow port 1194 with Destination "LAN_address" on LAN Interface. Also the WAN fw rule needs a little change. The destination address here has to be changed to "LAN_address" (or 192.168.0.1) too.EDIT: Still curious about your setup as a whole… Is the TP-Link connected to the pfsense's LAN Interface, maybe via a switch?
-
It allows the traffic through the tunnel when it's established.
You still need to allow port 1194 with Destination "LAN_address" on LAN Interface. Also the WAN fw rule needs a little change. The destination address here has to be changed to "LAN_address" (or 192.168.0.1) too.Well okay! So that did the trick, I can connect via my Android phone! Thank-you very much! One question, if I wanted to route my VPN traffic through my VPN gateway, I'd need a LAN rule that fwds all traffic on the OpenVPN server interface (I'll need to assign this) via the OpenVPN client gateway?
EDIT: Still curious about your setup as a whole… Is the TP-Link connected to the pfsense's LAN Interface, maybe via a switch?
My setup may not be 'best practices' but I've got a DSL modem (Tp-Link) with a cable going into pfSense NIC #1, then a cable going from pfSense NIC#2 back into the TP-Link. TP link does the modem part and handles all the wireless clients, but DHCP/DNS/OpenVPN client etc comes from pfSense. I'm not a networky person and I've only set this up over the past weekend so I may have committed a few networking faux pas.
-
Well okay! So that did the trick, I can connect via my Android phone! Thank-you very much! One question, if I wanted to route my VPN traffic through my VPN gateway, I'd need a LAN rule that fwds all traffic on the OpenVPN server interface (I'll need to assign this) via the OpenVPN client gateway?
I might got this wrong, but I don't see what this would be needed for.
When you connect to the VPN Server (on pfsense) from your mobile / Laptop etc. you establish a tunnel with 10.8.1.0/24 as the tunnel network if I read your config correctly.
At this point your pfsense box "knows" about the 10.8.1.0/24 net (including the vpn-client address) because it's directly connected to it, just like the 192.168.1.0/24 net. No Routing required so far.
Your vpn-client "knows" the same nets - 10.8.1.0/24 directly connected, 192.168.0.1/24 via pushed route in the vpn-server config. The vpn-client should be able to reach every client/clients services in both of These nets.
The only Thing not reachable is the internet "behind" the TP-Link. The vpn-client would need additional routes for that.On the pfsense box you don't need to "forward" anything. You just have to allow the traffic generated by the vpn-client to pass on the interfaces where it should pass.
Hope this answers meets the point of your question…
-
Had this same problem today.
In testing a new pfsense install on my home network, the WAN address is being assigned a 192.168 address.
The resolution ended up being to turn off "Block private networks and loopback addresses" and "Block bogon networks" in the Interfaces->WAN configuration.
After i turned these off, i could connect to the WAN:1194 UDP port.
I will turn these back on when i deploy this device and the WAN is assigned a public address.