Help troubleshooting OpenVPN / Firewall Config
Ok, before I completely foul up my pfSense configuration with more hours of trail-by-error.
I am trying to setup an OpenVPN connection between my main house (running pfSense) and an empty remote location (which has an Asus router that supports OpenVPN). My goal is to connect over VPN to the remote site to monitor some IP cameras at that location but ideally have the BlueIris machine at my main address. I just want to keep an eye on the place while it is empty.
Right or possibly wrong, I set it up so that pfSense connects as a client to the ASUS OpenVPN server. My thinking was if the power went out at the remote site, I would see the camera down, and could reconnect to the VPN server to reestablish connectivity to the cameras. The remote site is 1000 miles away, so running down to reestablish the connection would be a problem (I might be wrong but I don't see anything that indicates the ASUS would automatically reconnect). This connection is using TUN with pfSense as client connecting to ASUS server using Static shared key and AES encryption. (I did also spend hours trying TAP on both ends)
Long and short, I can login to pfsense from the main site and using the built-in diagnostics I can ping successfully to the addresses at the remote site (10.0.8.1, 192.168.1.16), as long as I select "Automatically Select" or the VPN interface alias as the source for the ping. But as soon as I try to ping from a LAN0 computer (or from pfSense with LAN0 as source) there is no connectivity. I suspect the problem is my lack of understanding how the pfSense firewall rules actually work.
Here's network topology, goal is to securely connect inside the remote network to access the video streams from the cameras without creating a vector for exposing the insecure camera operating systems to the web:
MAIN HOUSE (fiber) Remote House (cable)
================ vpn private network =====================
LAN1–192.168.21.x----------- pfsense (8.x.x.x) =======tunnel======= (98.214.x.x) Asus (192.168.77.1)--------IP Cameras (192.168.77.161, 192.168.77.160)
After hours of reading (mostly configurations where pfSense is server), how-tos and punching holes in my perfectly good firewall, can anyone recommend what I should be focusing on? Is this a case where the pfSense book would explain the concept of the firewall rule configuration better for a novice?
I was following this troubleshooting guide: https://doc.pfsense.org/index.php/Connectivity_Troubleshooting and got stuck here:
Test if the client can ping the LAN IP of the firewall
- If this fails, check the LAN rules, client IP/subnet mask, LAN IP/subnet mask, etc.
ok based on another guide that VERY strongly recommended everyone should move off the 192.168.1.X subnets. I have updated the ASUS (remote) subnet to 192.168.77.X
Here is the ASUS routing table (with VPN connected from pfSense)
Destination Gateway Genmask Flags Metric Ref Use Type Iface 98.214.##.## * 255.255.255.255 UH 0 0 0 WAN0 eth0 10.0.8.2 * 255.255.255.255 UH 0 0 0 tun21 192.168.77.0 * 255.255.255.0 U 0 0 0 LAN br0 98.214.##.## * 255.255.240.0 U 0 0 0 WAN0 eth0 default 98.214.##.## 0.0.0.0 UG 0 0 0 WAN0 eth0
10.0.8.1 255.255.255.30 (ASUS vpn tunnel endpoint)
10.0.8.2 255.255.255.30 (home-vpn tunnel endpoint)
192.168.77.1 255.255.255.0 (ASUS LAN ip)
192.168.77.160 255.255.255.0 (IP Camera on ASUS LAN)
192.168.20.1 255.255.255.0 (home PC LAN)
192.168.20.XXX 255.255.255.0 (Blue Iris PC dhcp)
ping from 10.0.8.2 to 10.0.8.1 - works
ping from 10.0.8.1 to 10.0.8.2 - works
ping from 10.0.8.2 to 192.168.77.1 - works
ping from 10.0.8.2 to 192.168.77.160 - works
ping from 192.168.20.1 to 192.168.77.1 - broken
Probably no route from home PC LAN to ASUS LAN ip. What is on the pfSense routing table?
I have since added the following commands on the ASUS VPN Server Config (before I saw your response):
route 192.168.20.0 255.255.255.0 10.0.8.2 route 192.168.21.0 255.255.255.0 10.0.8.2 route 192.168.33.0 255.255.255.0 10.0.8.2
which appears to trigger updates on the ASUS side:
Destination Gateway Genmask Flags Metric Ref Use Type Iface 98.214.xx.xx * 255.255.255.255 UH 0 0 0 WAN0 eth0 10.0.8.2 * 255.255.255.255 UH 0 0 0 tun21 192.168.21.0 10.0.8.2 255.255.255.0 UG 0 0 0 tun21 192.168.20.0 10.0.8.2 255.255.255.0 UG 0 0 0 tun21 192.168.33.0 10.0.8.2 255.255.255.0 UG 0 0 0 tun21 192.168.77.0 * 255.255.255.0 U 0 0 0 LAN br0 98.214.xx.xx * 255.255.240.0 U 0 0 0 WAN0 eth0 default 98.214.xx.xx 0.0.0.0 UG 0 0 0 WAN0 eth0
Now I am getting ping responses when I use pfSense PING diagnostic, select LAN interfaces (192.168.20.1) across the VPN (tun21) to LAN clients in the ASUS LAN subnet.
Finally testing from Windows client on 192.168.20.x subnet, which appears to be unable to reach a LAN target via the VPN
pfSense route table:
IPv4 Routes Destination Gateway Flags Use Mtu Netif Expire default 8.44.xxx.xxx UGS 17972 1500 em0 18.104.22.168 70:85:c2:2b:21:cd UHS 0 1500 em0 8.44.xxx.xx/22 link#5 U 11284 1500 em0 8.44.xxx.xxx link#5 UHS 0 16384 lo0 10.0.8.1 link#14 UH 25 1500 ovpnc3 10.0.8.2 link#14 UHS 0 16384 lo0 127.0.0.1 link#9 UH 13171 16384 lo0 22.214.171.124 70:85:c2:2b:21:cd UHS 0 1500 em0 126.96.36.199 70:85:c2:2b:21:cd UHS 0 1500 em0 192.168.20.0/24 link#4 U 735967389 1500 igb3 192.168.20.1 link#4 UHS 21 16384 lo0 192.168.21.0/24 link#3 U 205374706 1500 igb2 192.168.21.1 link#3 UHS 0 16384 lo0 192.168.30.0/24 link#2 U 424840 1500 igb1 192.168.30.1 link#2 UHS 3 16384 lo0 192.168.33.0/24 link#1 U 3 1500 igb0 192.168.33.1 link#1 UHS 0 16384 lo0 192.168.77.0/24 10.0.8.1 UGS 339 1500 ovpnc3 192.168.99.0/24 192.168.99.2 UGS 0 1500 ovpns1 192.168.99.1 link#10 UHS 0 16384 lo0 192.168.99.2 link#10 UH 8637 1500 ovpns1
Have you tried this in your openvpn client?
IPv4 Remote networks : Enter the remote (Server Side) LAN here. To access more than one network, add them all here separated by a comma (e.g.192.168.77.0/24).
Yes, I have that setting configured in the OpenVPN client configuration, in fact exactly like you say: 192.168.77.0/24
I suspect that might be where this entry is coming from in routing table on pfSense box?
192.168.77.0/24 10.0.8.1 UGS 339 1500 ovpnc3
What is the output of tracert 192.168.77.160 on the Windows pc?
Do you have a pass rule for vpn interface?
thanks for trying to help gjaltemba !!
I am embarrassed to say my son on the other end was the one telling me that he couldn't connect to anything on the remote LAN from the home LAN. As I was troubleshooting that issue, he mentioned the internet had been acting up for "about the past hour" - this is at the home address running pfSense, and it happens to be on a gigabit connection.
After troubleshooting that issue to TWO LAN computers where two other members of the household were each downloading (and I think possibly seeding) a 3.3 GB patch for ARK (and then stopping those) - he could immediately connect to the ASUS LAN cameras web server. He isn't able to see the video streams, but I can see them on my phone across two VPN connections, so I think it must be 99% working.
- Knock on wood, I think it might be fixed *