Possible to Run OpenVPN Server and a PIA OpenVPN Client at same time?



  • Greetings,
    I'm curious if it is possible to run an OpenVPN server to permit remote connections to my network, via iPad and scuh, while also taking advantage of the benefits offered by Private Internet Access.  I finally got my OpenVPN server up and running and remote connects now work flawlessly.  However, when I installed PIA as instructed in the PIA pfsense router setup, the status shows as "down."  The only step I skipped was deleting the various certificates required to make the OpenVPN server work.
    I'd like the benefits of remote access to my network as well as the benefits provided by PIA.  Any suggestions or guides that I've missed.  My experience with pfSense consists of about a month, with MANY failures trying to get the OpenVPN server up and running.

    EDIT: Ok, after more tweaking, factory resetting, and more tweaking…I have everything working except one thing.  I can connect to my network via the OpenVPN server, I have the PIA VPN Client pushed to the network IP addresses I want going through the VPN.  I can remotely access both Plex and my Blue iris surveillance server.  However, there is one thing I cannot get figure out and I'm sure it has to do Firewall Rules or NAT Outbound rules.  When remotely connecting to my OpenVPN server, I want those connections to be able to access the Internet as well.  Currently, any remotely connected client to my OpenVPN server can access network IPs only and any attempts to connect to the Internet are being blocked.  The OpenVPN Server is assigned its own openvpn interface and the PIA Client is assigned its own unique PIA Interface.  If I disable the PIA client, then my OpenVPN Server connections are able to access the Internet.  Once I restart the PIA client, the Internet access of the OpenVPN Server connected clients stops.  Anyone have a suggestion or guide on how to setup the needed rules?
    EDIT 2:  Well, the recently changed NAT Outbound (posted below) granted my OpenVPN Server remotely connected clients to access the Internet, but it broke their ability to access LAN clients.  How can I get both Internet and LAN access for clients remotely connected to the OpenVPN Server?

    EDIT 3: Never mind, all is working correctly, but for some reason the remote desktop cliet on my iPad isn't connecting this morning where as the RD app on my iphone is.

    Current NAT Outbound Rules:

    Current Firewall Rules for WAN:

    Current Firewall Rules for LAN:



  • @Murrayd222:

    Greetings,

    I'm curious if it is possible to run an OpenVPN server to permit remote connections to my network, via iPad and scuh, while also taking advantage of the benefits offered by Private Internet Access.  I finally got my OpenVPN server up and running and remote connects now work flawlessly.  However, when I installed PIA as instructed in the PIA pfsense router setup, the status shows as "down."  The only step I skipped was deleting the various certificates required to make the OpenVPN server work.

    I'd like the benefits of remote access to my network as well as the benefits provided by PIA.  Any suggestions or guides that I've missed.  My experience with pfSense consists of about a month, with MANY failures trying to get the OpenVPN server up and running.

    yes this is possible.

    You'd set up the PIA connection following the guides that PIA has published, and use the wizard to create an openvpn remote access server.



  • Ok, I must be doing something wrong.  I can get just an OpenVPN server running that I can successfully connect to my home network with, or I can get a PIA vpn client running successfully that puts the PIA vpn for all of my clients.  But I simply can't get both running at the same time.  The PIA guide has me delete all other CAs in order to get PIA to work.  But an Open VPN server setup to connect to my home network using the wizrd doesnt work when I select the the PIA CA.

    What am I doing wrong.

    TIA



  • @Murrayd222:

    The PIA guide has me delete all other CAs in order to get PIA to work.  But an Open VPN server setup to connect to my home network using the wizrd doesnt work when I select the the PIA CA.

    That seems like bad advice.  I wouldn't follow a lot of the setup guides out there.  You need a CA to create the server certificate used for your OpenVPN server instance.  Unless you have a CA on another machine, it'll probably live on pfSense.  I don't see how multiple CAs or certificates would conflict.  They can co-exist just fine.

    I'd create another strong CA in pfSense and use that to generate any OpenVPN server and client certificates you need.



  • I run this same setup as well, I have two openvpn servers running (one on UDP 1194 and one on TCP 443) and an openvpn client connection to PIA.

    Check the logs in Status / System Logs / OpenVPN to see if there's anything there to help you.

    Also, I assume you assigned interfaces to each and have NAT setup?



  • Your setup sounds like what I'm trying to achieve, but with one server instead of two.  My exposure to pfSense is about two weeks old, though about one week in dealing with PIA.  I first setup an OpenVPN server and got it up and running fine and I can remote access my network with no problems.  I then followed the guide for installing PIA, minus deleting the CA for the OpenVPN server.  If I enable the PIA client, PIA works and changes my IP to a PIA IP.  But as soon as I enable the PIA client, I immediately lose my ability to connect to the OpenVPN server.  I'm sorry, but I'm not sure what I should be looking for and I can't seem to find the answers searching this forum.  I can't find any type of guide that basically leads me in the directions to having both the OpenVPN server (UDP 1194) and the PIA client (UDP 1198) to play nicely together.

    The closest I could find was this guide, which had me  create an OPT1 Interface https://www.reddit.com/r/PFSENSE/comments/61nqso/guide_pfsense_with_private_internet_access_and/

    I created that and assigned the Interface as "ovpns1 (OpenVPNServer)", but it made no difference.

    As for the system logs, I'm not sure how to interpret it.  Here is the OpenVPN Log with the OpenVPN Server already running and then enabling the PIA server and no longer being able to connect to the OpenVPN server…at which point I have to disable the PIA Client again.

    Apr 29 15:19:58 openvpn 12389 vpnuser1/174.227.149.4:12462 send_push_reply(): safe_cap=940
    Apr 29 15:19:58 openvpn 12389 vpnuser1/174.227.149.4:12462 MULTI_sva: pool returned IPv4=10.0.0.2, IPv6=(Not enabled)
    Apr 29 15:19:58 openvpn 12389 174.227.149.4:12462 [vpnuser1] Peer Connection Initiated with [AF_INET]174.227.149.4:12462
    Apr 29 15:19:57 openvpn user 'vpnuser1' authenticated
    Apr 29 15:19:47 openvpn 12389 174.227.149.4:12466 [vpnuser1] Peer Connection Initiated with [AF_INET]174.227.149.4:12466
    Apr 29 15:19:47 openvpn 12389 174.227.149.4:12466 TLS Auth Error: Auth Username/Password verification failed for peer
    Apr 29 15:19:47 openvpn 12389 174.227.149.4:12466 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
    Apr 29 15:19:47 openvpn user 'vpnuser1' could not authenticate.
    Apr 29 15:19:19 openvpn 14820 SIGTERM[hard,] received, process exiting
    Apr 29 15:19:19 openvpn 14820 /usr/local/sbin/ovpn-linkdown ovpnc2 1500 1561 10.54.10.6 10.54.10.5 init
    Apr 29 15:19:19 openvpn 14820 event_wait : Interrupted system call (code=4)
    Apr 29 15:18:46 openvpn 12389 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.140:59413
    Apr 29 15:18:46 openvpn 12389 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Apr 29 15:18:45 openvpn 12389 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.140:59413
    Apr 29 15:18:45 openvpn 12389 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Apr 29 15:17:27 openvpn 14820 Initialization Sequence Completed
    Apr 29 15:17:27 openvpn 14820 /usr/local/sbin/ovpn-linkup ovpnc2 1500 1561 10.54.10.6 10.54.10.5 init
    Apr 29 15:17:27 openvpn 14820 /sbin/ifconfig ovpnc2 10.54.10.6 10.54.10.5 mtu 1500 netmask 255.255.255.255 up
    Apr 29 15:17:27 openvpn 14820 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 29 15:17:27 openvpn 14820 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    Apr 29 15:17:27 openvpn 14820 TUN/TAP device /dev/tun2 opened
    Apr 29 15:17:27 openvpn 14820 TUN/TAP device ovpnc2 exists previously, keep at program end
    Apr 29 15:17:25 openvpn 14820 [######a06b960e88d94b48219ef3950] Peer Connection Initiated with [AF_INET]104.156.240.167:1198
    Apr 29 15:17:25 openvpn 14820 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
    Apr 29 15:17:25 openvpn 14820 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
    Apr 29 15:17:25 openvpn 14820 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Apr 29 15:17:25 openvpn 14820 UDPv4 link remote: [AF_INET]104.156.240.167:1198
    Apr 29 15:17:25 openvpn 14820 UDPv4 link local (bound): [AF_INET]##.##.###.180
    Apr 29 15:17:25 openvpn 14820 RESOLVE: Cannot resolve host address: us-florida.privateinternetaccess.com: hostname nor servname provided, or not known
    Apr 29 15:16:41 openvpn 14820 Initializing OpenSSL support for engine 'cryptodev'
    Apr 29 15:16:41 openvpn 14820 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 29 15:16:41 openvpn 14708 WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible
    Apr 29 15:16:41 openvpn 14708 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Apr 29 15:16:41 openvpn 14708 OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
    Apr 29 15:16:41 openvpn 12389 Initialization Sequence Completed
    Apr 29 15:16:41 openvpn 12389 UDPv4 link remote: [undef]
    Apr 29 15:16:41 openvpn 12389 UDPv4 link local (bound): [AF_INET]##.##.###.180:1194
    Apr 29 15:16:41 openvpn 12389 /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.0.0.1 255.255.255.0 init
    Apr 29 15:16:41 openvpn 12389 /sbin/ifconfig ovpns1 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.0 up
    Apr 29 15:16:41 openvpn 12389 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Apr 29 15:16:41 openvpn 12389 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    Apr 29 15:16:41 openvpn 12389 TUN/TAP device /dev/tun1 opened
    Apr 29 15:16:41 openvpn 12389 TUN/TAP device ovpns1 exists previously, keep at program end
    Apr 29 15:16:41 openvpn 12389 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Apr 29 15:16:41 openvpn 12389 Initializing OpenSSL support for engine 'cryptodev'
    Apr 29 15:16:41 openvpn 12389 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 29 15:16:41 openvpn 12389 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
    Apr 29 15:16:41 openvpn 12242 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Apr 29 15:16:41 openvpn 12242 OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017

    NAT Outbound is:

    Interface Source Source Port Destination Destination Port NAT Address   NAT Port Static Port  Description Actions
    OpenVPN 127.0.0.0/8 *               *                   500 OpenVPN address *                         Auto created rule for ISAKMP - localhost to WAN
    OpenVPN 127.0.0.0/8 *               *                       * OpenVPN address *                         Auto created rule - localhost to WAN
    OpenVPN 192.168.1.0/24               *                       * 500 OpenVPN address *                 Auto created rule for ISAKMP - LAN to WAN
    OpenVPN 192.168.1.0/24               *                       * * OpenVPN address *                 Auto created rule - LAN to WAN
    OpenVPN 10.0.0.0/24 *               *                   500 OpenVPN address *                         Auto created rule for ISAKMP - OpenVPN server to WAN
    WAN         127.0.0.0/8 *               *                   500 WAN address *                                 Auto created rule for ISAKMP - localhost to WAN
    OpenVPN 10.0.0.0/24 *               *                       * OpenVPN address *                         Auto created rule - OpenVPN server to WAN
    WAN         127.0.0.0/8 *               *                       * WAN address *                                 Auto created rule - localhost to WAN
    WAN         192.168.1.0/24               *                       * 500 WAN address *                         Auto created rule for ISAKMP - LAN to WAN
    WAN         192.168.1.0/24               *                       * * WAN address *                         Auto created rule - LAN to WAN
    WAN         10.0.0.0/24 *               *                   500 WAN address *                                 Auto created rule for ISAKMP - OpenVPN server to WAN
    WAN         10.0.0.0/24 *               *                       * WAN address *                                 Auto created rule - OpenVPN server to WAN



  • Which guide for PIA setup have you followed?
    Have you set up already an interface for the PIA client and add policy routing rules to direct outgoing connections to the PIA server?

    To get it work, you have to do this. Also go to the PIA client settings and check the "Don't pull routes" option. That will be the culprit here.



  • I used the guide from PIA for setting up their client on pfsense: https://www.privateinternetaccess.com/pages/client-support/pfsense

    When I check the Don't Pull box, I no longer obtain a PIA IP address though…but the OpenVPN server works for a change.  What Is My IP shows my IPS IP instead of one from PIA.



  • @Murrayd222:

    When I check the Don't Pull box, I no longer obtain a PIA IP address though

    So you've just checked this option, but not add a PIA interface and policy routing rules as I suggested above. So you've only done a part of the solution!

    Here is a video showing how to do this: https://www.youtube.com/watch?v=JdjWNpoktrw



  • @viragomann:

    @Murrayd222:

    When I check the Don't Pull box, I no longer obtain a PIA IP address though

    So you've just checked this option, but not add a PIA interface and policy routing rules as I suggested above. So you've only done a part of the solution!

    Here is a video showing how to do this: https://www.youtube.com/watch?v=JdjWNpoktrw

    I followed the instructions in this video, and just like the guide from PIA's website, my PIA VPN is working…other than the video neglected to change the port to 1198 from 1194 (1194 won't connect to PIA).  However, I still can't access my network via the OpenVPN server running on the pfSense router.  It is probably a NAT ruls thing, but I can't find any guide on the additional NAT rules (or firewall rules) to get my iPhone to connect to the OpenVPN server.  I can only access my OpenVPN server if I disable the PIA VPN Client.  Any other ideas?



  • Is your iPhone using a separate internet connection for testing?



  • All remote iPhone tests used Verizon and not wifi.  I've scrapped the whole PIA client and will try again at a later date…a much later date.  For everything I got working, something else stopped working.  Before reverting to a backup, I had gotten Plex remotely connecting, Blue Iris remotely connecting, PIA working, and Open VPN working.  But then apps on my iPhone stopped working, even the weather app.  My Ooma Telo stopped working as well.  I set many devices to bypass and go straight to the WAN, but in the case of the Ooma and my iPhone...that didn't help.  Shoot, the final straw was my earlier reply not being able to post since the site loading was horrible before reverting back.  Back to the base router setup and OpenVPN server I need.  The whole weekend was wasted fighting with PIA and the OpenVPN server, so I won't be repeating this anytime soon.

    Thanks to those who tried to help, but there are so many settings that have to be just right that I would probably need a guide for my exact setup to get it to work right.



  • Ok, after more tweaking, factory resetting, and more tweaking…I have everything working except one thing.  I can connect to my network via the OpenVPN server, I have the PIA VPN Client pushed to the network IP addresses I want going through the VPN.  I can remotely access both Plex and my Blue iris surveillance server.  However, there is one thing I cannot get figure out and I'm sure it has to do Firewall Rules or NAT Outbound rules.  When remotely connecting to my OpenVPN server, I want those connections to be able to access the Internet as well.  Currently, any remotely connected client to my OpenVPN server can access network IPs only and any attempts to connect to the Internet are being blocked.  Anyone have a suggestion or guide on how to setup the needed rules?

    Current NAT Outbound Rules:

    Current Firewall Rules for WAN:

    Current Firewall Rules for LAN:

    I know there has got to be a way to do this.



  • Since you still pull the default route from PIA, there's no special firewall rule needed for the VPN clients going out to the internet. You're only missing the outbound NAT rule for that traffic.
    Just add a rule to the PIA_VPN interface and set the source to your VPN access servers tunnel network.



  • @viragomann:

    Since you still pull the default route from PIA, there's no special firewall rule needed for the VPN clients going out to the internet. You're only missing the outbound NAT rule for that traffic.
    Just add a rule to the PIA_VPN interface and set the source to your VPN access servers tunnel network.

    Ok, adding this rule fixed one thing and broke another.  Adding the above Outbound rule now permits my remote clients connected to my OpenVPN Server to now access the Internet, but now they can no longer connect to the LAN IPs.  Is this a one or the other type or deal or is it possible to have both working at the same time, along with a PIA VPN client.  Is there another rule I need to add in order to get both working?

    EDIT 1: Never mind, its an issue with the Remote Desktop app on my iPad only, as it works on my iPhone.

    Here are my current Outbound Rules:



  • @Murrayd222:

    Greetings,
    I'm curious if it is possible to run an OpenVPN server to permit remote connections to my network, via iPad and scuh, while also taking advantage of the benefits offered by Private Internet Access.  I finally got my OpenVPN server up and running and remote connects now work flawlessly.  However, when I installed PIA as instructed in the PIA pfsense router setup, the status shows as "down."  The only step I skipped was deleting the various certificates required to make the OpenVPN server work.
    I'd like the benefits of remote access to my network as well as the benefits provided by PIA.  Any suggestions or guides that I've missed.  My experience with pfSense consists of about a month, with MANY failures trying to get the OpenVPN server up and running.

    EDIT: Ok, after more tweaking, factory resetting, and more tweaking…I have everything working except one thing.  I can connect to my network via the OpenVPN server, I have the PIA VPN Client pushed to the network IP addresses I want going through the VPN.  I can remotely access both Plex and my Blue iris surveillance server.  However, there is one thing I cannot get figure out and I'm sure it has to do Firewall Rules or NAT Outbound rules.  When remotely connecting to my OpenVPN server, I want those connections to be able to access the Internet as well.  Currently, any remotely connected client to my OpenVPN server can access network IPs only and any attempts to connect to the Internet are being blocked.  The OpenVPN Server is assigned its own openvpn interface and the PIA Client is assigned its own unique PIA Interface.  If I disable the PIA client, then my OpenVPN Server connections are able to access the Internet.  Once I restart the PIA client, the Internet access of the OpenVPN Server connected clients stops.  Anyone have a suggestion or guide on how to setup the needed rules?
    EDIT 2:  Well, the recently changed NAT Outbound (posted below) granted my OpenVPN Server remotely connected clients to access the Internet, but it broke their ability to access LAN clients.  How can I get both Internet and LAN access for clients remotely connected to the OpenVPN Server?

    EDIT 3: Never mind, all is working correctly, but for some reason the remote desktop cliet on my iPad isn't connecting this morning where as the RD app on my iphone is.

    Current NAT Outbound Rules:

    Current Firewall Rules for WAN:

    Current Firewall Rules for LAN:

    Are these above your working settings? Can you please please share your current working settings? I can't get them to work together no matter what I tried. I've spent the better part of the past 3 days epxerimenting with all possible combinations. I did factory resets, installed the server first and then the client and vice versa. Played with all the possible rules I could think of. Duplicated the existing outbound NAT with values both for OpenVPN and PIAVPN.

    I would be greatful if you could share the server's and client's config as well as the rules in WAN, LAN (or anywhere else) and also your NAT/outbound tab.

    I have created separate interfaces for the PIA Client and the OpenVPN server while the ''don't pull routes'' option suggested by  @viragomann disables completely the PIA client and then magically the OpenVPN server will accept the connection from my Android client.

    I have already asked in several topics but failed to draw any attention so I'm hoping you could help me out.
    Otherwise I'll have to open a new thread. I just did not want to do as there are many like us who had the same issue and the forum is full of similar threads…


Log in to reply