Routing Internet traffic between a remote OpenVPN server and pfSense
A friend of mine runs a small business in an area with extremely limited Internet connectivity options. He recently moved away from 3Mbps DSL service to using an unlimited LTE service, providing about 25Mbps service. Since he will be dropping his POTS lines and DSL in favor of the LTE service, I am helping him transfer his analog lines to VoIP.
As with most cellular providers, he is trapped behind a NAT pool and is unable to forward any traffic back in. Knowing this was going to be a problem, I set him up with a Digital Ocean box to terminate an OpenVPN connection to that can be used for the phone system for SIP/RTP inbound and outbound connections (DNAT/MASQUERADE).
I thought this would be trivial but I've struggled to make this work. No matter what configuration I've tried, I cannot get pfSense to route the return traffic back through the VPN and out to Digital Ocean via an IP Masquerade. Here's a simple diagram showing the connection points and their configuration.
Asterisk Server (VLAN4) 10.0.2.2 gw 10.0.2.1 <--> pfSense (VLAN4) 10.0.2.1 / 10.8.0.2 (OpenVPN client) <--> OpenVPN Server 10.8.0.1
pfSense Firewall Rules -
VLAN4 interface as a pass rule from VLAN4 Net to any using the OpenVPN Client Interface as its Gateway.
OpenVPN Server -
Has a route and iroute entry for 10.0.2.0/24 in the server and client configurations respectively. OpenVPN Server does not force a route of all traffic from clients as the only traffic he would like to tunnel through the VPN is SIP/RTP for the purpose of accessing VoIP services inbound and outbound. Server also contains DNAT and MASQUERADE rules to forward inbound port 5060 tcp/10000-10100 udp traffic to the Asterisk server through the OpenVPN tunnel.
Traffic which originates from the Asterisk server TO an address on the Internet seems to work just fine - the packet transverses pfSense, through the OpenVPN connection, Masquerade by Linux's firewall and to the destination and return packets are delivered inversely.
However from the Internet, I cannot establish a TCP connection along the forwarded ports to the Asterisk server. The SYN+ACK packet is discarded by pfSense.
From what I can tell using tcpdump/pfSense's packet capture, and pfSense's state tables, the TCP SYN packet from the Internet is delivered to the Asterisk box which returns a SYN+ACK packet back to pfSense. pfSense sees this packet on the VLAN interface but that packet is never seen being forwarded to OpenVPN interface.
My assumption is that even though I have a firewall rule declaring the gateway should be used, pfSense does not use this for return SYN+ACK packets and relies on locating the return path from the state table. My guess is that with OpenVPN, this state table is not used and it instead relies on route rules that need to be present within OpenVPN. Since I have no "default gateway" route rule in OpenVPN, I think these packets are rejected outright.
Anyone have any suggestions on how to get this to function properly?
Asterisk Server (VLAN4) 10.0.2.2 gw 10.0.2.1 <–> pfSense (VLAN4) 10.0.2.1 / 10.8.0.2 (OpenVPN client) <–> OpenVPN Server 10.8.0.1
You need to assign an interface to the bolded client instance and make sure that the rules passing the connections inbound are on the assigned interface and DO NOT MATCH rules on the OpenVPN tab. In fact, just delete/disable all the rules on the OpenVPN tab and move them to the assigned interface tab.
The states will then get flagged with reply-to and the reply traffic will be directed out the correct interface.
Derelict, your instructions resolved our routing troubles perfectly!
Thank you so much for responding to my problem!