Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help troubleshooting OpenVPN / Firewall Config

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      crw030
      last edited by

      Ok, before I completely foul up my pfSense configuration with more hours of trail-by-error.

      I am trying to setup an OpenVPN connection between my main house (running pfSense) and an empty remote location (which has an Asus router that supports OpenVPN).  My goal is to connect over VPN to the remote site to monitor some IP cameras at that location but ideally have the BlueIris machine at my main address.  I just want to keep an eye on the place while it is empty.

      Right or possibly wrong, I set it up so that pfSense connects as a client to the ASUS OpenVPN server.  My thinking was if the power went out at the remote site, I would see the camera down, and could reconnect to the VPN server to reestablish connectivity to the cameras.  The remote site is 1000 miles away, so running down to reestablish the connection would be a problem (I might be wrong but I don't see anything that indicates the ASUS would automatically reconnect).  This connection is using TUN with pfSense as client connecting to ASUS server using Static shared key and AES encryption. (I did also spend hours trying TAP on both ends)

      Long and short, I can login to pfsense from the main site and using the built-in diagnostics I can ping successfully to the addresses at the remote site (10.0.8.1, 192.168.1.16), as long as I select "Automatically Select" or the VPN interface alias as the source for the ping.  But as soon as I try to ping from a LAN0 computer (or from pfSense with LAN0 as source) there is no connectivity.  I suspect the problem is my lack of understanding how the pfSense firewall rules actually work.

      Here's network topology, goal is to securely connect inside the remote network to access the video streams from the cameras without creating a vector for exposing the insecure camera operating systems to the web:

      MAIN HOUSE      (fiber)                                                                                          Remote House  (cable)
      ================                                      vpn private network        =====================
      LAN0–192.168.20.x--\                                        [10.0.8.2]–---[10.0.8.1]
      LAN1–192.168.21.x----------- pfsense (8.x.x.x) =======tunnel======= (98.214.x.x) Asus (192.168.77.1)--------IP Cameras (192.168.77.161, 192.168.77.160)
      LAN2--192.168.30.x--/

      After hours of reading (mostly configurations where pfSense is server), how-tos and punching holes in my perfectly good firewall, can anyone recommend what I should be focusing on?  Is this a case where the pfSense book would explain the concept of the firewall rule configuration better for a novice?

      I was following this troubleshooting guide:  https://doc.pfsense.org/index.php/Connectivity_Troubleshooting and got stuck here:
      Client Tests
      Test if the client can ping the LAN IP of the firewall

      • If this fails, check the LAN rules, client IP/subnet mask, LAN IP/subnet mask, etc.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • C
        crw030
        last edited by

        ok based on another guide that VERY strongly recommended everyone should move off the 192.168.1.X subnets.  I have updated the ASUS (remote) subnet to 192.168.77.X

        Here is the ASUS routing table (with VPN connected from pfSense)

        Destination     Gateway         Genmask         Flags    Metric Ref    Use Type Iface
        98.214.##.##     *               255.255.255.255 UH       0      0        0 WAN0 eth0
        10.0.8.2        *               255.255.255.255 UH       0      0        0      tun21
        192.168.77.0    *               255.255.255.0   U        0      0        0 LAN  br0
        98.214.##.##     *               255.255.240.0   U        0      0        0 WAN0 eth0
        default         98.214.##.##     0.0.0.0         UG       0      0        0 WAN0 eth0
        

        10.0.8.1            255.255.255.30  (ASUS vpn tunnel endpoint)
        10.0.8.2            255.255.255.30  (home-vpn tunnel endpoint)
        192.168.77.1    255.255.255.0    (ASUS LAN ip)
        192.168.77.160 255.255.255.0    (IP Camera on ASUS LAN)
        192.168.20.1    255.255.255.0    (home PC LAN)
        192.168.20.XXX 255.255.255.0    (Blue Iris PC dhcp)

        Pings from Router to Router (using the built in Ping utility)

        ping from 10.0.8.2  to 10.0.8.1  - works
        ping from 10.0.8.1  to 10.0.8.2  - works

        Pings from pfSense to remote LAN

        ping from 10.0.8.2  to 192.168.77.1  - works
        ping from 10.0.8.2  to 192.168.77.160  - works
        ping from 192.168.20.1  to 192.168.77.1  - broken

        1 Reply Last reply Reply Quote 0
        • G
          gjaltemba
          last edited by

          Probably no route from home PC LAN to ASUS LAN ip. What is on the pfSense routing table?

          1 Reply Last reply Reply Quote 0
          • C
            crw030
            last edited by

            I have since added the following commands on the ASUS VPN Server Config (before I saw your response):

            route 192.168.20.0 255.255.255.0 10.0.8.2
            route 192.168.21.0 255.255.255.0 10.0.8.2
            route 192.168.33.0 255.255.255.0 10.0.8.2
            

            which appears to trigger updates on the ASUS side:

            Destination     Gateway         Genmask         Flags    Metric Ref    Use Type Iface
            98.214.xx.xx     *               255.255.255.255 UH       0      0        0 WAN0 eth0
            10.0.8.2        *                255.255.255.255 UH       0      0        0      tun21
            192.168.21.0    10.0.8.2         255.255.255.0   UG       0      0        0      tun21
            192.168.20.0    10.0.8.2         255.255.255.0   UG       0      0        0      tun21
            192.168.33.0    10.0.8.2         255.255.255.0   UG       0      0        0      tun21
            192.168.77.0    *                255.255.255.0   U        0      0        0 LAN  br0
            98.214.xx.xx     *               255.255.240.0   U        0      0        0 WAN0 eth0
            default         98.214.xx.xx     0.0.0.0         UG       0      0        0 WAN0 eth0
            

            Now I am getting ping responses when I use pfSense PING diagnostic, select LAN interfaces (192.168.20.1) across the VPN (tun21) to LAN clients in the ASUS LAN subnet.

            Finally testing from Windows client on 192.168.20.x subnet, which appears to be unable to reach a LAN target via the VPN

            1 Reply Last reply Reply Quote 0
            • C
              crw030
              last edited by

              pfSense route table:

              IPv4 Routes
              Destination	Gateway     		Flags	Use     	Mtu	Netif	Expire
              default 	8.44.xxx.xxx		UGS	17972   	1500	em0	
              8.8.8.8 	70:85:c2:2b:21:cd	UHS	0       	1500	em0	
              8.44.xxx.xx/22	link#5			U	11284   	1500	em0	
              8.44.xxx.xxx	link#5			UHS	0       	16384	lo0	
              10.0.8.1	link#14			UH	25      	1500	ovpnc3	
              10.0.8.2	link#14			UHS	0       	16384	lo0	
              127.0.0.1	link#9			UH	13171   	16384	lo0	
              192.69.23.12	70:85:c2:2b:21:cd	UHS	0       	1500	em0	
              192.69.23.18	70:85:c2:2b:21:cd	UHS	0       	1500	em0	
              192.168.20.0/24	link#4			U	735967389	1500	igb3	
              192.168.20.1	link#4			UHS	21      	16384	lo0	
              192.168.21.0/24	link#3			U	205374706	1500	igb2	
              192.168.21.1	link#3			UHS	0       	16384	lo0	
              192.168.30.0/24	link#2			U	424840  	1500	igb1	
              192.168.30.1	link#2			UHS	3       	16384	lo0	
              192.168.33.0/24	link#1			U	3       	1500	igb0	
              192.168.33.1	link#1			UHS	0       	16384	lo0	
              192.168.77.0/24	10.0.8.1		UGS	339     	1500	ovpnc3	
              192.168.99.0/24	192.168.99.2		UGS	0       	1500	ovpns1	
              192.168.99.1	link#10			UHS	0       	16384	lo0	
              192.168.99.2	link#10			UH	8637    	1500	ovpns1	
              
              1 Reply Last reply Reply Quote 0
              • G
                gjaltemba
                last edited by

                Have you tried this in your openvpn client?

                IPv4 Remote networks : Enter the remote (Server Side) LAN here. To access more than one network, add them all here separated by a comma (e.g.192.168.77.0/24).

                1 Reply Last reply Reply Quote 0
                • C
                  crw030
                  last edited by

                  Yes, I have that setting configured in the OpenVPN client configuration, in fact exactly like you say:    192.168.77.0/24

                  I suspect that might be where this entry is coming from in routing table on pfSense box?

                  192.168.77.0/24	10.0.8.1		UGS	339     	1500	ovpnc3	
                  
                  
                  1 Reply Last reply Reply Quote 0
                  • G
                    gjaltemba
                    last edited by

                    What is the output of tracert 192.168.77.160 on the Windows pc?

                    Do you have a pass rule for vpn interface?

                    1 Reply Last reply Reply Quote 0
                    • C
                      crw030
                      last edited by

                      thanks for trying to help gjaltemba !!

                      I am embarrassed to say my son on the other end was the one telling me that he couldn't connect to anything on the remote LAN from the home LAN.  As I was troubleshooting that issue, he mentioned the internet had been acting up for "about the past hour" - this is at the home address running pfSense, and it happens to be on a gigabit connection.

                      After troubleshooting that issue to TWO LAN computers where two other members of the household were each downloading (and I think possibly seeding) a 3.3 GB patch for ARK (and then stopping those) - he could immediately connect to the ASUS LAN cameras web server.  He isn't able to see the video streams, but I can see them on my phone across two VPN connections, so I think it must be 99% working.

                      • Knock on wood, I think it might be fixed *
                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.