Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote VPN and internet access

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 4 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NasKar
      last edited by

      I've setup a Remote VPN and I can access my servers using it but can't access the internet while connected to the VPN. I tried adding this to the Firewall/outgoing but it still doesn't allow access to the web.  What am I missing?

      OutboundVPN.jpg
      OutboundVPN.jpg_thumb

      Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
      2 CPUs: 1 package(s) x 2 core(s)
      AES-NI CPU Crypto: No
      2 Gigs Ram
      SSD with ver 2.4.0
      IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

      1 Reply Last reply Reply Quote 0
      • S
        santello
        last edited by

        Did you checked the OpenVPN option "Redirect Gateway"?
        Is the OpenVPN gateway the default at the client route list?

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          If you want your OpenVPN clients to be able to get out WAN you need to make sure their tunnel network addresses or remote network addresses are included in the outbound NAT rules on WAN, not OpenVPN.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • N
            NasKar
            last edited by

            @Derelict:

            If you want your OpenVPN clients to be able to get out WAN you need to make sure their tunnel network addresses or remote network addresses are included in the outbound NAT rules on WAN, not OpenVPN.

            I changed the option from openvpn to WAN and now I can't get to the PFsense GUI remotely.

            @santeLLo:

            Did you checked the OpenVPN option "Redirect Gateway"?
            Is the OpenVPN gateway the default at the client route list?

            "redirect gateway" is check
            Not sure where to find that option

            Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
            2 CPUs: 1 package(s) x 2 core(s)
            AES-NI CPU Crypto: No
            2 Gigs Ram
            SSD with ver 2.4.0
            IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              @NasKar:

              @Derelict:

              If you want your OpenVPN clients to be able to get out WAN you need to make sure their tunnel network addresses or remote network addresses are included in the outbound NAT rules on WAN, not OpenVPN.

              I changed the option from openvpn to WAN and now I can't get to the PFsense GUI remotely.

              That option has nothing to do with the GUI access. This has to be permited in the firewall rules.

              1 Reply Last reply Reply Quote 0
              • S
                santello
                last edited by

                @NasKar:

                "redirect gateway" is check
                Not sure where to find that option

                In OpenVPN server GUI.

                What is the default gateway on client after de OpenVPN got connected? I remember that users needs to run the OpenVPN GUI with elevated privileges to get the default route from OpenVPN.

                1 Reply Last reply Reply Quote 0
                • N
                  NasKar
                  last edited by

                  @Derelict:

                  If you want your OpenVPN clients to be able to get out WAN you need to make sure their tunnel network addresses or remote network addresses are included in the outbound NAT rules on WAN, not OpenVPN.

                  After reading your comment over and over again I have added the VPN tunnel network 192.168.200.0/24 to an outbound rule but it still doesn't allow access to the internet like apple.com etc. Am I following your instructions correctly?

                  ![outbound VPN.jpg_thumb](/public/imported_attachments/1/outbound VPN.jpg_thumb)
                  ![outbound VPN.jpg](/public/imported_attachments/1/outbound VPN.jpg)

                  Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                  2 CPUs: 1 package(s) x 2 core(s)
                  AES-NI CPU Crypto: No
                  2 Gigs Ram
                  SSD with ver 2.4.0
                  IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    That looks fine so it must be something else not right.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • N
                      NasKar
                      last edited by

                      @Derelict:

                      That looks fine so it must be something else not right.

                      It turns out that Block private networks and loopback addresses on the WAN address was blocking access to the WAN from the VPN.  Is it a problem to disable this option?

                      Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                      2 CPUs: 1 package(s) x 2 core(s)
                      AES-NI CPU Crypto: No
                      2 Gigs Ram
                      SSD with ver 2.4.0
                      IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        It turns out that Block private networks and loopback addresses on the WAN address was blocking access to the WAN from the VPN.  Is it a problem to disable this option?

                        No it wasn't. That blocks connections into WAN from outside WAN from RFC1918 source addresses.

                        You can run without those checked.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • N
                          NasKar
                          last edited by

                          @Derelict:

                          It turns out that Block private networks and loopback addresses on the WAN address was blocking access to the WAN from the VPN.  Is it a problem to disable this option?

                          No it wasn't. That blocks connections into WAN from outside WAN from RFC1918 source addresses.

                          You can run without those checked.

                          Your correct it only loaded the one web page and then it wouldn't work anymore. I have no idea what else to look for.

                          Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                          2 CPUs: 1 package(s) x 2 core(s)
                          AES-NI CPU Crypto: No
                          2 Gigs Ram
                          SSD with ver 2.4.0
                          IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.