OpenVPN Server and Client Simultaneously



  • Hi all,

    I've been trying to use my pfSense box as an OpenVPN server as it has better specs than my NAS which I have been using up till now.  I'm currently running an OpenVPN client to my VPN provider and that works fine; however, I can't seem to get a server running.  I'm able to enable the server and even connect to it, but can't access the internet.  I believe it's a NAT problem, but can't figure it out.  I'm trying to come in via the OpenVPN server and out over the OpenVPN client.  I've included some screenshots of relevant sections and could use some help.  Thanks!
    ![Outbound NAT.jpg](/public/imported_attachments/1/Outbound NAT.jpg)
    ![Outbound NAT.jpg_thumb](/public/imported_attachments/1/Outbound NAT.jpg_thumb)
    ![Firewall WAN.jpg](/public/imported_attachments/1/Firewall WAN.jpg)
    ![Firewall WAN.jpg_thumb](/public/imported_attachments/1/Firewall WAN.jpg_thumb)
    ![Firewall LAN.jpg](/public/imported_attachments/1/Firewall LAN.jpg)
    ![Firewall LAN.jpg_thumb](/public/imported_attachments/1/Firewall LAN.jpg_thumb)
    ![Firewall OpenVPN.jpg](/public/imported_attachments/1/Firewall OpenVPN.jpg)
    ![Firewall OpenVPN.jpg_thumb](/public/imported_attachments/1/Firewall OpenVPN.jpg_thumb)



  • Anybody?


  • LAYER 8 Netgate

    It is almost always a bad idea to use source any for outbound NAT.

    I would tailor that to include the subnets you actually want to perform NAT for. In your case that would need to include the tunnel network you assigned to your OpenVPN server.

    I am assuming when you look at the routing table (Diagnostics > Routes) when the VPN client is connected to the provider, you see routes for 0.0.0.0/1 and 128.0.0.0/1 going to ovpncX?

    I also assume you have Redirect Gateway checked in the OpenVPN Server?

    Can OpenVPN clients ping 192.168.2.1 (or whatever the LAN interface address is?)



  • @Derelict:

    It is almost always a bad idea to use source any for outbound NAT.

    I would tailor that to include the subnets you actually want to perform NAT for. In your case that would need to include the tunnel network you assigned to your OpenVPN server.

    I am assuming when you look at the routing table (Diagnostics > Routes) when the VPN client is connected to the provider, you see routes for 0.0.0.0/1 and 128.0.0.0/1 going to ovpncX?

    I also assume you have Redirect Gateway checked in the OpenVPN Server?

    Can OpenVPN clients ping 192.168.2.1 (or whatever the LAN interface address is?)

    Thanks for replying.  I can see 0.0.0.0/1 and 128.0.0.0/1 going out to the VPN provider and have the redirect checked in the server.  It seems I can ping the LAN, but the latency is unbearable leading to timeouts.  For some reason, it also affects my outgoing connection to the VPN provider.  My hardware should be able to handle it as it's using a Core i3 with AES instructions enabled.

    When you say "any" for the outgoing NAT, do you mean my last line where the OpenVPN interface is?  If so, should that only include my OpenVPN tunnel network or that along with my LAN network?  Just don't want to break my OpenVPN client in addition to the server, lol.


  • LAYER 8 Netgate

    When you say "any" for the outgoing NAT, do you mean my last line where the OpenVPN interface is?  If so, should that only include my OpenVPN tunnel network or that along with my LAN network?  Just don't want to break my OpenVPN client in addition to the server, lol.

    Yes.



  • @Derelict:

    When you say "any" for the outgoing NAT, do you mean my last line where the OpenVPN interface is?  If so, should that only include my OpenVPN tunnel network or that along with my LAN network?  Just don't want to break my OpenVPN client in addition to the server, lol.

    Yes.

    So do I include just my tunnel network or also my LAN network too?  Thanks for the help.


  • LAYER 8 Netgate

    Every source network that you want to be outbound NAT on the way out that interface must match an outbound NAT rule. Source any catches other things like traffic from the interface address itself and generally breaks things.



  • @Derelict:

    Every source network that you want to be outbound NAT on the way out that interface must match an outbound NAT rule. Source any catches other things like traffic from the interface address itself and generally breaks things.

    Still no go.  Even before I try connecting remotely, my internet goes dead (everything going out my VPN pipe) as soon as I turn on the OpenVPN server.  As soon as my I delete or turn off the server, everything comes back online almost immediately.  I'm running TCP/443 on my OpenVPN client and using the default UCP/1194 on the server.  Any other ideas?


  • LAYER 8 Netgate

    That makes zero sense. Post your client and server configs.

    That rule on the OpenVPN tab is bad news when you have OpenVPN configured as a WAN port.

    You should assign an interface to the OpenVPN server, place the pass any any rule on that, and have no rules on the OpenVPN tab and no rules on the interface assigned to the OpenVPN client. What you have will passs any connection that comes inbound from the OpenVPN service.


  • LAYER 8 Netgate

    Why is your port 1194 apparently port forwarded inbound to 192.168.2.104. At least that's what the WAN rule looks like.



  • @Derelict:

    Why is your port 1194 apparently port forwarded inbound to 192.168.2.104. At least that's what the WAN rule looks like.

    That was my original OpenVPN server on my NAS.  I've disabled the server on the NAS and firewall rule in pfSense.



  • @Derelict:

    That makes zero sense. Post your client and server configs.

    That rule on the OpenVPN tab is bad news when you have OpenVPN configured as a WAN port.

    You should assign an interface to the OpenVPN server, place the pass any any rule on that, and have no rules on the OpenVPN tab and no rules on the interface assigned to the OpenVPN client. What you have will passs any connection that comes inbound from the OpenVPN service.

    Figures, the wizard placed that rule in the OpenVPN tab.  I removed it, assigned the server an interface, and added a pass any rule on the interface.  Still nothing.  What I can't understand is why everything going through my OpenVPN client goes dead the second I activate the server.  Just doesn't make sense.


  • LAYER 8 Netgate

    Yeah I could build what you are trying to do in 5 minutes. Finding out what you've done wrong from afar is taking longer.

    The OpenVPN server and client processes are completely independent from each other. Unless you have some same-subnet things in the configs or something.



  • @Derelict:

    Yeah I could build what you are trying to do in 5 minutes. Finding out what you've done wrong from afar is taking longer.

    The OpenVPN server and client processes are completely independent from each other. Unless you have some same-subnet things in the configs or something.

    Thanks for trying to help.  I'll keep messing with it and hopefully get it worked out.


  • LAYER 8 Netgate

    If enabling the server has any effect on existing traffic, it sounds like you have chosen a subnet for the tunnel network that conflicts with something.

    Usually that means the server won't install the route because it already exists. Maybe you did something different.

    What did you use for the tunnel network?



  • @Derelict:

    If enabling the server has any effect on existing traffic, it sounds like you have chosen a subnet for the tunnel network that conflicts with something.

    Usually that means the server won't install the route because it already exists. Maybe you did something different.

    What did you use for the tunnel network?

    I used 192.168.3.0/24 for my tunnel network.  It's all working now after setting up the interface and adjusting NAT rules.  Thanks for that.  Now I just need to figure out if it's possible to use a different route when I'm on my home WiFi network.  I can't use the OpenVPN setting that says "Cellular Only" as I'm using redirect-gateway and that doesn't allow the iPhone to switch back to WiFi when it's available.


Log in to reply