Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    The best tutorial to start with OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    16 Posts 5 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dexener
      last edited by

      Hi guys.
      I found two tutorials for setting up OpenVPN connection. Both of them are really good.
      1.) https://www.youtube.com/watch?v=xiy52Hn5bTc
      2.) https://nguvu.org/pfsense/pfsense-inbound_vpn/

      The first one is really easy one, the second one it is a little bit longer to configure…

      Which tutorial should i use?

      1 Reply Last reply Reply Quote 0
      • S
        shetu
        last edited by

        Follow the first tutorial then completed tutorial

        1 Reply Last reply Reply Quote 0
        • D
          dexener
          last edited by

          Ok. I followed the first one, where i changed the port to 443. Its working everything. This was really not hard to configure. Am i missing something, or thats it?

          1 Reply Last reply Reply Quote 0
          • jahonixJ
            jahonix
            last edited by

            @dexener:

            Its working everything … Am i missing something, or thats it?

            What should you be missing if everything is working correctly?

            1 Reply Last reply Reply Quote 0
            • J
              JackR
              last edited by

              Hi all,

              I have been using pfSense for a couple of years now, but first time delving into the OpenVPN.  Basically, I want to be able to VPN into my home network and use my own ISP connection when surfing (i.e. especially if I am in a coffee shop, etc…).

              I have tried the above tutorials.  And they work great for getting me connected to my OpenVPN server and accessing all my local resources (NAS, etc...).  But I can't seem to route any of my traffic out to the internet.  And even my DNS doesn't seem to be working.

              I have followed this pfsense doc (https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server) as well as the youtube video in the above link.  But none of them talk about adding NAT to route to outside, etc...  They don't even set Interfaces or GW.  Yet the inbound works just fine.

              Is there a guide somewhere that shows every step?
              Thanks in advance for your help.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                For what you are trying to do, you should not need to set outbound NAT unless you are running manual outbound NAT.

                Check your Firewall > NAT, Outbound settings. Is the OpenVPN server's tunnel network included in the source networks? If not, post a screen shot of that page.

                For what you are trying to do, you should not need to assign an interface to OpenVPN.

                Did you check the Redirect Gateway checkbox in the server? If so (that would be the correct setting in your case), check that the client doesn't have the equivalent of don't pull routes set. If it still doesn't work, connect to the OpenVPN server and look at the routing table on the client. There should be two routes, 0.0.0.0/1 and 128.0.0.0/1 that point at the OpenVPN server's tunnel address. If there are not, then you need to investigate why those routes aren't being installed when you connect.

                Are you passing all traffic to destination any on Firewall > Rules, OpenVPN?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  JackR
                  last edited by

                  Hi Derelict,

                  Thank you for your help.  I just checked and I am running the manual outbound NAT.  I tried changing it to automatic, but it broke my VPN connection to my provider. :(  Maybe something that is strange with my setup is that I have 2 connections to my VPN provider (2 different locations) and I use my IP addressing to decide which VPN tunnel to use.  Maybe that is why I switched to manual.

                  Attaching my firewall NAT rules so that you can have a look.  I did manually add one for my OpenVPN.

                  Just so you know my topology:
                  192.168.20.0/24 is my local LAN
                  192.168.20.64/27 (IP ranges 192.168.20.65-192.168.20.94) go to one of my VPN providers tunnels.
                  192.168.20.100/27 (IP ranges 192.168.20.97-192.168.20.126) go to the other VPN tunnel.

                  My DHCP scope for handing out IPs is 192.168.20.10-192.168.20.60).

                  My VPN tunnel network is 192.168.50.0/24.

                  I also noticed that I was using DNS forwarder instead of DNS resolver.  I just switched to DNS resolver.

                  I do have the Redirect Gateway checkbox in the server.  And OpenVPN firewall is passing all traffic.  I used the wizard to set it up.

                  Appreciate any help you can provide.

                  NAT.png
                  NAT.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    That should work. What about the routes on the client? What about the rules on your OpenVPN tab?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • J
                      JackR
                      last edited by

                      The OpenVPN tab in Firewalls is Allow everything (default rule put in by the wizard).

                      I have attached the Route Print from my Win8 machine (I was local on a 192.168.30.x subnet).

                      When I was connected to the VPN, I was able to ping everything in my 192.168.20.x subnet.  I was able to do nslookups using 192.168.20.1 successfully.

                      However, when I did a tracert google.com, I would only get to my first hop of 192.168.50.1 and everything was unreachable after that. :(

                      Not sure how to proceed to keep troubleshooting.

                      routeprint.txt

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        That looks fine too.

                        Post screen shots of your OpenVPN rules, if you have an assigned OpenVPN interface on that OpenVPN server post those rules as well.

                        It should be working. Hard to know what is where that is keeping it from working.

                        Maybe the output from:

                        netstat -rnfinet

                        from pfSense in Diagnostics > Command Prompt

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • J
                          JackR
                          last edited by

                          I really appreciate your help Derelict.

                          Here is the OpenVPN rules, my interfaces, and my netstat.

                          openvpnrules.png
                          openvpnrules.png_thumb
                          interfaces.png
                          interfaces.png_thumb
                          netstat.png
                          netstat.png_thumb

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Your default gateway is that openvpn client. You need to put outbound NAT for 192.168.50.0/24 on that interface since that's where it is being routed.

                            You can policy route that traffic out WAN by adding a pass rule on the OpenVPN tab for all traffic sourced from network 192.168.50.0/24, click advanced, and set the WAN gateway. That rule would have to be above the pass any any rule.

                            Outbound NAT rules do not route traffic. They have nothing to do with routing decisions. They simply tell pf what NAT to perform, if any, when traffic is routed out an interface by policy routing or the routing table.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • J
                              JackR
                              last edited by

                              Not sure I understand what to do Derelict.

                              Are you saying that I need to add a firewall rule in my OpenVPN tab that says

                              Pass  Source 192.168.50.0  Dest Any  Default Gateway WAN

                              And I have to put that at the top?  What happens if I am trying to get to my internal hosts?

                              1 Reply Last reply Reply Quote 0
                              • J
                                JackR
                                last edited by

                                Is this what you mean?

                                newrule.png
                                newrule.png_thumb

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  That rule is protocol TCP only Make it any.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    JackR
                                    last edited by

                                    You are the best Derelict!

                                    Thank you so much.  It seems to be working, but I'll do some full testing tomorrow.

                                    I added a rule so that traffic going to my LAN net doesn't use the WAN interface.  I put that at the top.  Then, I followed it with the rule for traffic going any to route out the WAN interface.  Now, I can ping my internal LAN devices as well as pinging external sites.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.