• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN not accessible via external networks

Scheduled Pinned Locked Moved OpenVPN
9 Posts 3 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    zachary12
    last edited by Mar 30, 2017, 7:01 AM

    Hi there,
    I'm trying to access my OpenVPN server externally. I can connect to the server on the local network but when I try from my phone using mobile data, it can't connect. I've forwarded 1194 UDP at the modem and the firewall rules were all added by the server
    Screenshots of config here http://imgur.com/a/UN26m
    client config is

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote <ip> 1194 udp
    verify-x509-name "pfSense-CA" name
    auth-user-pass
    pkcs12 pfSense-udp-1194-client1.p12
    tls-auth pfSense-udp-1194-client1-tls.key 1
    comp-lzo adaptive</ip>
    

    server config is

    dev ovpns2
    verb 3
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    engine rdrand
    tls-server
    server 10.8.1.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server2
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user <removed> false server2 1194" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfSense-CA' 1"
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    max-clients 10
    push "route 192.168.0.0 255.255.255.0"
    push "dhcp-option DNS 192.168.0.1"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    client-to-client
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo adaptive
    persist-remote-ip
    float
    topology subnet</removed>
    

    Any help appreciated, I'm not a network guy so it may something obvious to ya'll

    1 Reply Last reply Reply Quote 0
    • S
      seArs
      last edited by Mar 30, 2017, 8:06 AM

      @zachary12:

      remote <ip>1194 udp</ip>

      First make sure the replacement for the <ip>is your public IP (WAN side of the TP-Link) and not the 192.168.0.1 used in your "from local network" example.
      You could also type your FQDN here if you use something like a DynDNS Service.

      Second your WAN configuration shown in that picture (192.168.1.120) is a mismatch to the port-forwarding rule (192.168.0.1:1194). Combined with the assigned Gateway (192.168.0.254) you should'nt even have Internet Connection with that config.

      The good news is your ovpn config itself works as you have proven yourself. The Problem here is now just about connectivity.</ip>

      1 Reply Last reply Reply Quote 0
      • Z
        zachary12
        last edited by Mar 30, 2017, 8:22 AM

        @seArs:

        First make sure the replacement for the <ip>is your public IP (WAN side of the TP-Link) and not the 192.168.0.1 used in your "from local network" example.
        You could also type your FQDN here if you use something like a DynDNS Service.</ip>

        Yep, the IP in the client config is definitely the wan IP.

        @seArs:

        Second your WAN configuration shown in that picture (192.168.1.120) is a mismatch to the port-forwarding rule (192.168.0.1:1194). Combined with the assigned Gateway (192.168.0.254) you should'nt even have Internet Connection with that config.

        The good news is your ovpn config itself works as you have proven yourself. The Problem here is now just about connectivity.

        I think you're onto something, the pfSense box is 192.168.0.1 (running DHCP on the LAN interface), the TP-Link router is 192.168.0.254. 192.168.1.120 was a random address I made up for the WAN interface, I can't assign the WAN IP to anything in the 192.168.0.0/24 block as it's already in use. The TP link modem will only port fwd to that subnet.

        Internet is working (running OpenVPN client as well).

        1 Reply Last reply Reply Quote 0
        • S
          seArs
          last edited by Mar 30, 2017, 8:34 AM

          @zachary12:

          I think you're onto something, the pfSense box is 192.168.0.1 (running DHCP on the LAN interface), the TP-Link router is 192.168.0.254. 192.168.1.120 was a random address I made up for the WAN interface, I can't assign the WAN IP to anything in the 192.168.0.0/24 block as it's already in use. The TP link modem will only port fwd to that subnet.

          Internet is working (running OpenVPN client as well).

          DHCP on the LAN Interface of the TP-Link? Then the pfsense wan setup "static ipv4" with the 192.168.1.120 makes no sense at all…

          Or is the 192.168.0.1 on the pfsense LAN Interface where you run DHCP? If it is like this and the internet connection is up, you need to apply a firewall rule for the LAN Interface too, because the vpn client is forwarded to its address.

          1 Reply Last reply Reply Quote 0
          • Z
            zachary12
            last edited by Mar 30, 2017, 8:45 AM

            @seArs:

            Or is the 192.168.0.1 on the pfsense LAN Interface where you run DHCP? If it is like this and the internet connection is up, you need to apply a firewall rule for the LAN Interface too, because the vpn client is forwarded to its address.

            Correct, DHCP on pfSense.

            Here's my LAN firewall rules, http://i.imgur.com/qdrbcdM.png (vpngroup is an alias for an ip range that gets routed through the openvpn client)

            Does the second rule allow OpenVPN traffic inbound from the modem?

            1 Reply Last reply Reply Quote 0
            • S
              seArs
              last edited by Mar 30, 2017, 9:05 AM Mar 30, 2017, 9:00 AM

              @zachary12:

              (vpngroup is an alias for an ip range that gets routed through the openvpn client)

              Does the second rule allow OpenVPN traffic inbound from the modem?

              It allows the traffic through the tunnel when it's established.
              You still need to allow port 1194 with Destination "LAN_address" on LAN Interface. Also the WAN fw rule needs a little change. The destination address here has to be changed to "LAN_address" (or 192.168.0.1) too.

              EDIT: Still curious about your setup as a whole… Is the TP-Link connected to the pfsense's LAN Interface, maybe via a switch?

              1 Reply Last reply Reply Quote 0
              • Z
                zachary12
                last edited by Mar 30, 2017, 9:42 AM

                @seArs:

                It allows the traffic through the tunnel when it's established.
                You still need to allow port 1194 with Destination "LAN_address" on LAN Interface. Also the WAN fw rule needs a little change. The destination address here has to be changed to "LAN_address" (or 192.168.0.1) too.

                Well okay! So that did the trick, I can connect via my Android phone! Thank-you very much! One question, if I wanted to route my VPN traffic through my VPN gateway, I'd need a LAN rule that fwds all traffic on the OpenVPN server interface (I'll need to assign this) via the OpenVPN client gateway?

                @seArs:

                EDIT: Still curious about your setup as a whole… Is the TP-Link connected to the pfsense's LAN Interface, maybe via a switch?

                My setup may not be 'best practices' but I've got a DSL modem (Tp-Link) with a cable going into pfSense NIC #1, then a cable going from pfSense NIC#2 back into the TP-Link. TP link does the modem part and handles all the wireless clients, but DHCP/DNS/OpenVPN client etc comes from pfSense. I'm not a networky person and I've only set this up over the past weekend so I may have committed a few networking faux pas.

                1 Reply Last reply Reply Quote 0
                • S
                  seArs
                  last edited by Mar 30, 2017, 11:09 AM

                  @zachary12:

                  Well okay! So that did the trick, I can connect via my Android phone! Thank-you very much! One question, if I wanted to route my VPN traffic through my VPN gateway, I'd need a LAN rule that fwds all traffic on the OpenVPN server interface (I'll need to assign this) via the OpenVPN client gateway?

                  I might got this wrong, but I don't see what this would be needed for.
                  When you connect to the VPN Server (on pfsense) from your mobile / Laptop etc. you establish a tunnel with 10.8.1.0/24 as the tunnel network if I read your config correctly.
                  At this point your pfsense box "knows" about the 10.8.1.0/24 net (including the vpn-client address) because it's directly connected to it, just like the 192.168.1.0/24 net. No Routing required so far.
                  Your vpn-client "knows" the same nets - 10.8.1.0/24 directly connected, 192.168.0.1/24 via pushed route in the vpn-server config. The vpn-client should be able to reach every client/clients services in both of These nets.
                  The only Thing not reachable is the internet "behind" the TP-Link. The vpn-client would need additional routes for that.

                  On the pfsense box you don't need to "forward" anything. You just have to allow the traffic generated by the vpn-client to pass on the interfaces where it should pass.

                  Hope this answers meets the point of your question…

                  1 Reply Last reply Reply Quote 0
                  • A
                    all5n
                    last edited by Mar 31, 2017, 6:27 PM

                    Had this same problem today.

                    In testing a new pfsense install on my home network, the WAN address is being assigned a 192.168 address.

                    The resolution ended up being to turn off "Block private networks and loopback addresses" and "Block bogon networks" in the Interfaces->WAN configuration.

                    After i turned these off, i could connect to the WAN:1194 UDP port.

                    I will turn these back on when i deploy this device and the WAN is assigned a public address.

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received