The best tutorial to start with OpenVPN



  • Hi guys.
    I found two tutorials for setting up OpenVPN connection. Both of them are really good.
    1.) https://www.youtube.com/watch?v=xiy52Hn5bTc
    2.) https://nguvu.org/pfsense/pfsense-inbound_vpn/

    The first one is really easy one, the second one it is a little bit longer to configure…

    Which tutorial should i use?



  • Follow the first tutorial then completed tutorial



  • Ok. I followed the first one, where i changed the port to 443. Its working everything. This was really not hard to configure. Am i missing something, or thats it?



  • @dexener:

    Its working everything … Am i missing something, or thats it?

    What should you be missing if everything is working correctly?



  • Hi all,

    I have been using pfSense for a couple of years now, but first time delving into the OpenVPN.  Basically, I want to be able to VPN into my home network and use my own ISP connection when surfing (i.e. especially if I am in a coffee shop, etc…).

    I have tried the above tutorials.  And they work great for getting me connected to my OpenVPN server and accessing all my local resources (NAS, etc...).  But I can't seem to route any of my traffic out to the internet.  And even my DNS doesn't seem to be working.

    I have followed this pfsense doc (https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server) as well as the youtube video in the above link.  But none of them talk about adding NAT to route to outside, etc...  They don't even set Interfaces or GW.  Yet the inbound works just fine.

    Is there a guide somewhere that shows every step?
    Thanks in advance for your help.


  • LAYER 8 Netgate

    For what you are trying to do, you should not need to set outbound NAT unless you are running manual outbound NAT.

    Check your Firewall > NAT, Outbound settings. Is the OpenVPN server's tunnel network included in the source networks? If not, post a screen shot of that page.

    For what you are trying to do, you should not need to assign an interface to OpenVPN.

    Did you check the Redirect Gateway checkbox in the server? If so (that would be the correct setting in your case), check that the client doesn't have the equivalent of don't pull routes set. If it still doesn't work, connect to the OpenVPN server and look at the routing table on the client. There should be two routes, 0.0.0.0/1 and 128.0.0.0/1 that point at the OpenVPN server's tunnel address. If there are not, then you need to investigate why those routes aren't being installed when you connect.

    Are you passing all traffic to destination any on Firewall > Rules, OpenVPN?



  • Hi Derelict,

    Thank you for your help.  I just checked and I am running the manual outbound NAT.  I tried changing it to automatic, but it broke my VPN connection to my provider. :(  Maybe something that is strange with my setup is that I have 2 connections to my VPN provider (2 different locations) and I use my IP addressing to decide which VPN tunnel to use.  Maybe that is why I switched to manual.

    Attaching my firewall NAT rules so that you can have a look.  I did manually add one for my OpenVPN.

    Just so you know my topology:
    192.168.20.0/24 is my local LAN
    192.168.20.64/27 (IP ranges 192.168.20.65-192.168.20.94) go to one of my VPN providers tunnels.
    192.168.20.100/27 (IP ranges 192.168.20.97-192.168.20.126) go to the other VPN tunnel.

    My DHCP scope for handing out IPs is 192.168.20.10-192.168.20.60).

    My VPN tunnel network is 192.168.50.0/24.

    I also noticed that I was using DNS forwarder instead of DNS resolver.  I just switched to DNS resolver.

    I do have the Redirect Gateway checkbox in the server.  And OpenVPN firewall is passing all traffic.  I used the wizard to set it up.

    Appreciate any help you can provide.



  • LAYER 8 Netgate

    That should work. What about the routes on the client? What about the rules on your OpenVPN tab?



  • The OpenVPN tab in Firewalls is Allow everything (default rule put in by the wizard).

    I have attached the Route Print from my Win8 machine (I was local on a 192.168.30.x subnet).

    When I was connected to the VPN, I was able to ping everything in my 192.168.20.x subnet.  I was able to do nslookups using 192.168.20.1 successfully.

    However, when I did a tracert google.com, I would only get to my first hop of 192.168.50.1 and everything was unreachable after that. :(

    Not sure how to proceed to keep troubleshooting.

    routeprint.txt


  • LAYER 8 Netgate

    That looks fine too.

    Post screen shots of your OpenVPN rules, if you have an assigned OpenVPN interface on that OpenVPN server post those rules as well.

    It should be working. Hard to know what is where that is keeping it from working.

    Maybe the output from:

    netstat -rnfinet

    from pfSense in Diagnostics > Command Prompt



  • I really appreciate your help Derelict.

    Here is the OpenVPN rules, my interfaces, and my netstat.







  • LAYER 8 Netgate

    Your default gateway is that openvpn client. You need to put outbound NAT for 192.168.50.0/24 on that interface since that's where it is being routed.

    You can policy route that traffic out WAN by adding a pass rule on the OpenVPN tab for all traffic sourced from network 192.168.50.0/24, click advanced, and set the WAN gateway. That rule would have to be above the pass any any rule.

    Outbound NAT rules do not route traffic. They have nothing to do with routing decisions. They simply tell pf what NAT to perform, if any, when traffic is routed out an interface by policy routing or the routing table.



  • Not sure I understand what to do Derelict.

    Are you saying that I need to add a firewall rule in my OpenVPN tab that says

    Pass  Source 192.168.50.0  Dest Any  Default Gateway WAN

    And I have to put that at the top?  What happens if I am trying to get to my internal hosts?



  • Is this what you mean?



  • LAYER 8 Netgate

    That rule is protocol TCP only Make it any.



  • You are the best Derelict!

    Thank you so much.  It seems to be working, but I'll do some full testing tomorrow.

    I added a rule so that traffic going to my LAN net doesn't use the WAN interface.  I put that at the top.  Then, I followed it with the rule for traffic going any to route out the WAN interface.  Now, I can ping my internal LAN devices as well as pinging external sites.


Log in to reply