• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help troubleshooting OpenVPN / Firewall Config

Scheduled Pinned Locked Moved OpenVPN
9 Posts 2 Posters 2.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    crw030
    last edited by Jun 30, 2017, 8:05 PM Jun 27, 2017, 7:37 AM

    Ok, before I completely foul up my pfSense configuration with more hours of trail-by-error.

    I am trying to setup an OpenVPN connection between my main house (running pfSense) and an empty remote location (which has an Asus router that supports OpenVPN).  My goal is to connect over VPN to the remote site to monitor some IP cameras at that location but ideally have the BlueIris machine at my main address.  I just want to keep an eye on the place while it is empty.

    Right or possibly wrong, I set it up so that pfSense connects as a client to the ASUS OpenVPN server.  My thinking was if the power went out at the remote site, I would see the camera down, and could reconnect to the VPN server to reestablish connectivity to the cameras.  The remote site is 1000 miles away, so running down to reestablish the connection would be a problem (I might be wrong but I don't see anything that indicates the ASUS would automatically reconnect).  This connection is using TUN with pfSense as client connecting to ASUS server using Static shared key and AES encryption. (I did also spend hours trying TAP on both ends)

    Long and short, I can login to pfsense from the main site and using the built-in diagnostics I can ping successfully to the addresses at the remote site (10.0.8.1, 192.168.1.16), as long as I select "Automatically Select" or the VPN interface alias as the source for the ping.  But as soon as I try to ping from a LAN0 computer (or from pfSense with LAN0 as source) there is no connectivity.  I suspect the problem is my lack of understanding how the pfSense firewall rules actually work.

    Here's network topology, goal is to securely connect inside the remote network to access the video streams from the cameras without creating a vector for exposing the insecure camera operating systems to the web:

    MAIN HOUSE      (fiber)                                                                                          Remote House  (cable)
    ================                                      vpn private network        =====================
    LAN0–192.168.20.x--\                                        [10.0.8.2]–---[10.0.8.1]
    LAN1–192.168.21.x----------- pfsense (8.x.x.x) =======tunnel======= (98.214.x.x) Asus (192.168.77.1)--------IP Cameras (192.168.77.161, 192.168.77.160)
    LAN2--192.168.30.x--/

    After hours of reading (mostly configurations where pfSense is server), how-tos and punching holes in my perfectly good firewall, can anyone recommend what I should be focusing on?  Is this a case where the pfSense book would explain the concept of the firewall rule configuration better for a novice?

    I was following this troubleshooting guide:  https://doc.pfsense.org/index.php/Connectivity_Troubleshooting and got stuck here:
    Client Tests
    Test if the client can ping the LAN IP of the firewall

    • If this fails, check the LAN rules, client IP/subnet mask, LAN IP/subnet mask, etc.

    Thanks.

    1 Reply Last reply Reply Quote 0
    • C
      crw030
      last edited by Jun 30, 2017, 2:58 PM

      ok based on another guide that VERY strongly recommended everyone should move off the 192.168.1.X subnets.  I have updated the ASUS (remote) subnet to 192.168.77.X

      Here is the ASUS routing table (with VPN connected from pfSense)

      Destination     Gateway         Genmask         Flags    Metric Ref    Use Type Iface
      98.214.##.##     *               255.255.255.255 UH       0      0        0 WAN0 eth0
      10.0.8.2        *               255.255.255.255 UH       0      0        0      tun21
      192.168.77.0    *               255.255.255.0   U        0      0        0 LAN  br0
      98.214.##.##     *               255.255.240.0   U        0      0        0 WAN0 eth0
      default         98.214.##.##     0.0.0.0         UG       0      0        0 WAN0 eth0
      

      10.0.8.1            255.255.255.30  (ASUS vpn tunnel endpoint)
      10.0.8.2            255.255.255.30  (home-vpn tunnel endpoint)
      192.168.77.1    255.255.255.0    (ASUS LAN ip)
      192.168.77.160 255.255.255.0    (IP Camera on ASUS LAN)
      192.168.20.1    255.255.255.0    (home PC LAN)
      192.168.20.XXX 255.255.255.0    (Blue Iris PC dhcp)

      Pings from Router to Router (using the built in Ping utility)

      ping from 10.0.8.2  to 10.0.8.1  - works
      ping from 10.0.8.1  to 10.0.8.2  - works

      Pings from pfSense to remote LAN

      ping from 10.0.8.2  to 192.168.77.1  - works
      ping from 10.0.8.2  to 192.168.77.160  - works
      ping from 192.168.20.1  to 192.168.77.1  - broken

      1 Reply Last reply Reply Quote 0
      • G
        gjaltemba
        last edited by Jun 30, 2017, 5:46 PM

        Probably no route from home PC LAN to ASUS LAN ip. What is on the pfSense routing table?

        1 Reply Last reply Reply Quote 0
        • C
          crw030
          last edited by Jun 30, 2017, 6:29 PM

          I have since added the following commands on the ASUS VPN Server Config (before I saw your response):

          route 192.168.20.0 255.255.255.0 10.0.8.2
          route 192.168.21.0 255.255.255.0 10.0.8.2
          route 192.168.33.0 255.255.255.0 10.0.8.2
          

          which appears to trigger updates on the ASUS side:

          Destination     Gateway         Genmask         Flags    Metric Ref    Use Type Iface
          98.214.xx.xx     *               255.255.255.255 UH       0      0        0 WAN0 eth0
          10.0.8.2        *                255.255.255.255 UH       0      0        0      tun21
          192.168.21.0    10.0.8.2         255.255.255.0   UG       0      0        0      tun21
          192.168.20.0    10.0.8.2         255.255.255.0   UG       0      0        0      tun21
          192.168.33.0    10.0.8.2         255.255.255.0   UG       0      0        0      tun21
          192.168.77.0    *                255.255.255.0   U        0      0        0 LAN  br0
          98.214.xx.xx     *               255.255.240.0   U        0      0        0 WAN0 eth0
          default         98.214.xx.xx     0.0.0.0         UG       0      0        0 WAN0 eth0
          

          Now I am getting ping responses when I use pfSense PING diagnostic, select LAN interfaces (192.168.20.1) across the VPN (tun21) to LAN clients in the ASUS LAN subnet.

          Finally testing from Windows client on 192.168.20.x subnet, which appears to be unable to reach a LAN target via the VPN

          1 Reply Last reply Reply Quote 0
          • C
            crw030
            last edited by Jun 30, 2017, 6:37 PM

            pfSense route table:

            IPv4 Routes
            Destination	Gateway     		Flags	Use     	Mtu	Netif	Expire
            default 	8.44.xxx.xxx		UGS	17972   	1500	em0	
            8.8.8.8 	70:85:c2:2b:21:cd	UHS	0       	1500	em0	
            8.44.xxx.xx/22	link#5			U	11284   	1500	em0	
            8.44.xxx.xxx	link#5			UHS	0       	16384	lo0	
            10.0.8.1	link#14			UH	25      	1500	ovpnc3	
            10.0.8.2	link#14			UHS	0       	16384	lo0	
            127.0.0.1	link#9			UH	13171   	16384	lo0	
            192.69.23.12	70:85:c2:2b:21:cd	UHS	0       	1500	em0	
            192.69.23.18	70:85:c2:2b:21:cd	UHS	0       	1500	em0	
            192.168.20.0/24	link#4			U	735967389	1500	igb3	
            192.168.20.1	link#4			UHS	21      	16384	lo0	
            192.168.21.0/24	link#3			U	205374706	1500	igb2	
            192.168.21.1	link#3			UHS	0       	16384	lo0	
            192.168.30.0/24	link#2			U	424840  	1500	igb1	
            192.168.30.1	link#2			UHS	3       	16384	lo0	
            192.168.33.0/24	link#1			U	3       	1500	igb0	
            192.168.33.1	link#1			UHS	0       	16384	lo0	
            192.168.77.0/24	10.0.8.1		UGS	339     	1500	ovpnc3	
            192.168.99.0/24	192.168.99.2		UGS	0       	1500	ovpns1	
            192.168.99.1	link#10			UHS	0       	16384	lo0	
            192.168.99.2	link#10			UH	8637    	1500	ovpns1	
            
            1 Reply Last reply Reply Quote 0
            • G
              gjaltemba
              last edited by Jun 30, 2017, 7:32 PM

              Have you tried this in your openvpn client?

              IPv4 Remote networks : Enter the remote (Server Side) LAN here. To access more than one network, add them all here separated by a comma (e.g.192.168.77.0/24).

              1 Reply Last reply Reply Quote 0
              • C
                crw030
                last edited by Jun 30, 2017, 8:04 PM

                Yes, I have that setting configured in the OpenVPN client configuration, in fact exactly like you say:    192.168.77.0/24

                I suspect that might be where this entry is coming from in routing table on pfSense box?

                192.168.77.0/24	10.0.8.1		UGS	339     	1500	ovpnc3	
                
                
                1 Reply Last reply Reply Quote 0
                • G
                  gjaltemba
                  last edited by Jun 30, 2017, 10:15 PM Jun 30, 2017, 8:36 PM

                  What is the output of tracert 192.168.77.160 on the Windows pc?

                  Do you have a pass rule for vpn interface?

                  1 Reply Last reply Reply Quote 0
                  • C
                    crw030
                    last edited by Jun 30, 2017, 10:37 PM

                    thanks for trying to help gjaltemba !!

                    I am embarrassed to say my son on the other end was the one telling me that he couldn't connect to anything on the remote LAN from the home LAN.  As I was troubleshooting that issue, he mentioned the internet had been acting up for "about the past hour" - this is at the home address running pfSense, and it happens to be on a gigabit connection.

                    After troubleshooting that issue to TWO LAN computers where two other members of the household were each downloading (and I think possibly seeding) a 3.3 GB patch for ARK (and then stopping those) - he could immediately connect to the ASUS LAN cameras web server.  He isn't able to see the video streams, but I can see them on my phone across two VPN connections, so I think it must be 99% working.

                    • Knock on wood, I think it might be fixed *
                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received