Help troubleshooting OpenVPN / Firewall Config



  • Ok, before I completely foul up my pfSense configuration with more hours of trail-by-error.

    I am trying to setup an OpenVPN connection between my main house (running pfSense) and an empty remote location (which has an Asus router that supports OpenVPN).  My goal is to connect over VPN to the remote site to monitor some IP cameras at that location but ideally have the BlueIris machine at my main address.  I just want to keep an eye on the place while it is empty.

    Right or possibly wrong, I set it up so that pfSense connects as a client to the ASUS OpenVPN server.  My thinking was if the power went out at the remote site, I would see the camera down, and could reconnect to the VPN server to reestablish connectivity to the cameras.  The remote site is 1000 miles away, so running down to reestablish the connection would be a problem (I might be wrong but I don't see anything that indicates the ASUS would automatically reconnect).  This connection is using TUN with pfSense as client connecting to ASUS server using Static shared key and AES encryption. (I did also spend hours trying TAP on both ends)

    Long and short, I can login to pfsense from the main site and using the built-in diagnostics I can ping successfully to the addresses at the remote site (10.0.8.1, 192.168.1.16), as long as I select "Automatically Select" or the VPN interface alias as the source for the ping.  But as soon as I try to ping from a LAN0 computer (or from pfSense with LAN0 as source) there is no connectivity.  I suspect the problem is my lack of understanding how the pfSense firewall rules actually work.

    Here's network topology, goal is to securely connect inside the remote network to access the video streams from the cameras without creating a vector for exposing the insecure camera operating systems to the web:

    MAIN HOUSE      (fiber)                                                                                          Remote House  (cable)
    ================                                      vpn private network        =====================
    LAN0–192.168.20.x--\                                        [10.0.8.2]–---[10.0.8.1]
    LAN1–192.168.21.x----------- pfsense (8.x.x.x) =======tunnel======= (98.214.x.x) Asus (192.168.77.1)--------IP Cameras (192.168.77.161, 192.168.77.160)
    LAN2--192.168.30.x--/

    After hours of reading (mostly configurations where pfSense is server), how-tos and punching holes in my perfectly good firewall, can anyone recommend what I should be focusing on?  Is this a case where the pfSense book would explain the concept of the firewall rule configuration better for a novice?

    I was following this troubleshooting guide:  https://doc.pfsense.org/index.php/Connectivity_Troubleshooting and got stuck here:
    Client Tests
    Test if the client can ping the LAN IP of the firewall

    • If this fails, check the LAN rules, client IP/subnet mask, LAN IP/subnet mask, etc.

    Thanks.



  • ok based on another guide that VERY strongly recommended everyone should move off the 192.168.1.X subnets.  I have updated the ASUS (remote) subnet to 192.168.77.X

    Here is the ASUS routing table (with VPN connected from pfSense)

    Destination     Gateway         Genmask         Flags    Metric Ref    Use Type Iface
    98.214.##.##     *               255.255.255.255 UH       0      0        0 WAN0 eth0
    10.0.8.2        *               255.255.255.255 UH       0      0        0      tun21
    192.168.77.0    *               255.255.255.0   U        0      0        0 LAN  br0
    98.214.##.##     *               255.255.240.0   U        0      0        0 WAN0 eth0
    default         98.214.##.##     0.0.0.0         UG       0      0        0 WAN0 eth0
    

    10.0.8.1            255.255.255.30  (ASUS vpn tunnel endpoint)
    10.0.8.2            255.255.255.30  (home-vpn tunnel endpoint)
    192.168.77.1    255.255.255.0    (ASUS LAN ip)
    192.168.77.160 255.255.255.0    (IP Camera on ASUS LAN)
    192.168.20.1    255.255.255.0    (home PC LAN)
    192.168.20.XXX 255.255.255.0    (Blue Iris PC dhcp)

    Pings from Router to Router (using the built in Ping utility)

    ping from 10.0.8.2  to 10.0.8.1  - works
    ping from 10.0.8.1  to 10.0.8.2  - works

    Pings from pfSense to remote LAN

    ping from 10.0.8.2  to 192.168.77.1  - works
    ping from 10.0.8.2  to 192.168.77.160  - works
    ping from 192.168.20.1  to 192.168.77.1  - broken



  • Probably no route from home PC LAN to ASUS LAN ip. What is on the pfSense routing table?



  • I have since added the following commands on the ASUS VPN Server Config (before I saw your response):

    route 192.168.20.0 255.255.255.0 10.0.8.2
    route 192.168.21.0 255.255.255.0 10.0.8.2
    route 192.168.33.0 255.255.255.0 10.0.8.2
    

    which appears to trigger updates on the ASUS side:

    Destination     Gateway         Genmask         Flags    Metric Ref    Use Type Iface
    98.214.xx.xx     *               255.255.255.255 UH       0      0        0 WAN0 eth0
    10.0.8.2        *                255.255.255.255 UH       0      0        0      tun21
    192.168.21.0    10.0.8.2         255.255.255.0   UG       0      0        0      tun21
    192.168.20.0    10.0.8.2         255.255.255.0   UG       0      0        0      tun21
    192.168.33.0    10.0.8.2         255.255.255.0   UG       0      0        0      tun21
    192.168.77.0    *                255.255.255.0   U        0      0        0 LAN  br0
    98.214.xx.xx     *               255.255.240.0   U        0      0        0 WAN0 eth0
    default         98.214.xx.xx     0.0.0.0         UG       0      0        0 WAN0 eth0
    

    Now I am getting ping responses when I use pfSense PING diagnostic, select LAN interfaces (192.168.20.1) across the VPN (tun21) to LAN clients in the ASUS LAN subnet.

    Finally testing from Windows client on 192.168.20.x subnet, which appears to be unable to reach a LAN target via the VPN



  • pfSense route table:

    IPv4 Routes
    Destination	Gateway     		Flags	Use     	Mtu	Netif	Expire
    default 	8.44.xxx.xxx		UGS	17972   	1500	em0	
    8.8.8.8 	70:85:c2:2b:21:cd	UHS	0       	1500	em0	
    8.44.xxx.xx/22	link#5			U	11284   	1500	em0	
    8.44.xxx.xxx	link#5			UHS	0       	16384	lo0	
    10.0.8.1	link#14			UH	25      	1500	ovpnc3	
    10.0.8.2	link#14			UHS	0       	16384	lo0	
    127.0.0.1	link#9			UH	13171   	16384	lo0	
    192.69.23.12	70:85:c2:2b:21:cd	UHS	0       	1500	em0	
    192.69.23.18	70:85:c2:2b:21:cd	UHS	0       	1500	em0	
    192.168.20.0/24	link#4			U	735967389	1500	igb3	
    192.168.20.1	link#4			UHS	21      	16384	lo0	
    192.168.21.0/24	link#3			U	205374706	1500	igb2	
    192.168.21.1	link#3			UHS	0       	16384	lo0	
    192.168.30.0/24	link#2			U	424840  	1500	igb1	
    192.168.30.1	link#2			UHS	3       	16384	lo0	
    192.168.33.0/24	link#1			U	3       	1500	igb0	
    192.168.33.1	link#1			UHS	0       	16384	lo0	
    192.168.77.0/24	10.0.8.1		UGS	339     	1500	ovpnc3	
    192.168.99.0/24	192.168.99.2		UGS	0       	1500	ovpns1	
    192.168.99.1	link#10			UHS	0       	16384	lo0	
    192.168.99.2	link#10			UH	8637    	1500	ovpns1	
    


  • Have you tried this in your openvpn client?

    IPv4 Remote networks : Enter the remote (Server Side) LAN here. To access more than one network, add them all here separated by a comma (e.g.192.168.77.0/24).



  • Yes, I have that setting configured in the OpenVPN client configuration, in fact exactly like you say:    192.168.77.0/24

    I suspect that might be where this entry is coming from in routing table on pfSense box?

    192.168.77.0/24	10.0.8.1		UGS	339     	1500	ovpnc3	
    
    


  • What is the output of tracert 192.168.77.160 on the Windows pc?

    Do you have a pass rule for vpn interface?



  • thanks for trying to help gjaltemba !!

    I am embarrassed to say my son on the other end was the one telling me that he couldn't connect to anything on the remote LAN from the home LAN.  As I was troubleshooting that issue, he mentioned the internet had been acting up for "about the past hour" - this is at the home address running pfSense, and it happens to be on a gigabit connection.

    After troubleshooting that issue to TWO LAN computers where two other members of the household were each downloading (and I think possibly seeding) a 3.3 GB patch for ARK (and then stopping those) - he could immediately connect to the ASUS LAN cameras web server.  He isn't able to see the video streams, but I can see them on my phone across two VPN connections, so I think it must be 99% working.

    • Knock on wood, I think it might be fixed *