Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with router behind pfsense.

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RuiMiguel
      last edited by

      Hi.
      I have a router behind my pfsense and a im trying to administrate my pfsense using VPN. i am assuming that 172.20.18.0/24 is my internet.
      ROUTER:
      fastethernet_0 i gave 172.20.18.20
      fastethernet_1 i gave 192.168.2.1
      ps: there is no issue with routing table in my router.
      PFSENSE:
      wan i gave 192.168.2.2
      lan i gave 10.10.10.1

      openVPN configuration seems to be good.
      I configured my clients to connect via 172.20.18.20
      So, i nat port forwarding my router like this:

      ip nat inside source static udp 10.10.10.1 1194 interface FastEthernet0/0 1194

      The goal is reaching to my lan. My client has 172.20.18.185.
      why can not i connect ? this is whati get:

      Tue Jul 17 16:25:06 2018 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Sep 26 2017
      Tue Jul 17 16:25:06 2018 Windows version 6.2 (Windows 8 or greater) 32bit
      Tue Jul 17 16:25:06 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
      Tue Jul 17 16:25:51 2018 Control Channel Authentication: using 'pfSense-udp-1194-kalaneVPN-tls.key' as a OpenVPN static key file
      Tue Jul 17 16:25:51 2018 UDPv4 link local (bound): [undef]
      Tue Jul 17 16:25:51 2018 UDPv4 link remote: [AF_INET]172.20.18.20:1194
      Tue Jul 17 16:26:51 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Tue Jul 17 16:26:51 2018 TLS Error: TLS handshake failed
      Tue Jul 17 16:26:51 2018 SIGUSR1[soft,tls-error] received, process restarting
      Tue Jul 17 16:26:53 2018 UDPv4 link local (bound): [undef]
      Tue Jul 17 16:26:53 2018 UDPv4 link remote: [AF_INET]172.20.18.20:1194
      Tue Jul 17 16:27:53 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Tue Jul 17 16:27:53 2018 TLS Error: TLS handshake failed

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Draw this up... If your pfsense wan is 192.168.2.2 why would you be trying to connect to 172.20.18.20?

        172.20.18.0/24 is my internet

        That is not internet - that is a rfc1918 address. There is no possible way to connect to that IP from the internet..

        So unless your on this 172.20 network or on some local network that can get to that 172.20 network your never going to connect.

        If pfsense wan is 192.168.x then its behind a NAT to get to pfsense from the internet you would have to forward to pfsense wan from the NAT device in front of pfsense and then access the PUBLIC IP from the internet.

        10.x.x.x
        172.16-31.x.x
        192.168.x.x

        Are RFC1918 - they can not route on the internet and are only private IP space.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        R 1 Reply Last reply Reply Quote 0
        • R
          RuiMiguel @johnpoz
          last edited by

          @johnpoz 0_1531845551375_Sem Título.png

          i am assuming that 172.20.18.0/24 is a public network (internet). So, in my case 172.20.18.20 is my public address.

          R 1 Reply Last reply Reply Quote 0
          • R
            RuiMiguel @RuiMiguel
            last edited by

            @ruimiguel
            172.20.18.185 is my client. So i have exported VPNclient and installed it on my client. it is set to try connection via 172.20.18.20.

            NogBadTheBadN 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @RuiMiguel
              last edited by

              @ruimiguel

              If you google "whats my IP address" I bet it doesn't come back with any of the following:-

              10.x.x.x
              172.16-31.x.x
              192.168.x.x

              What you think is your Internet router isn't.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              R 1 Reply Last reply Reply Quote 0
              • R
                RuiMiguel @NogBadTheBad
                last edited by

                @nogbadthebad
                ok. I understand. I am not doing real test. there is no real internet. the client 172.20.18.185 and 172.20.18.20 are in the same net....so it should work, because i am doing nat port forwarding in 172.20.18.20

                1 Reply Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad
                  last edited by

                  Does it work if you connect your client to 192.168.2.x ?

                  You might find that the double NAT is causing issues.

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  R 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    If you want to call 172.20 the internet that is fine... But you will have to forward on that router in front of pfsense. If its doing nat - which I would be large sums of money that it is.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R
                      RuiMiguel @NogBadTheBad
                      last edited by

                      @nogbadthebad
                      Ok. I decided to put a real public ip. Now in this configuration, what should i do to make it work. I can not eliminate the router bacause it is part of the work they want me to do. So have to make it work as it is.
                      0_1531900254451_Sem Título.png

                      openVPN configuration is set and seems to be good.
                      I configured my clients to connect via 197.179.193.61
                      So, i nat port forwarding my router like this:

                      ip nat inside source static udp 10.10.10.1 1194 interface 197.179.193.61 1194

                      The goal is reaching to my LAN. My client has 172.20.18.185.
                      why can not i connect ? This is what i am getting:

                      Tue Jul 17 16:25:06 2018 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Sep 26 2017
                      Tue Jul 17 16:25:06 2018 Windows version 6.2 (Windows 8 or greater) 32bit
                      Tue Jul 17 16:25:06 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
                      Tue Jul 17 16:25:51 2018 Control Channel Authentication: using 'pfSense-udp-1194-kalaneVPN-tls.key' as a OpenVPN static key file
                      Tue Jul 17 16:25:51 2018 UDPv4 link local (bound): [undef]
                      Tue Jul 17 16:25:51 2018 UDPv4 link remote: [AF_INET]197.179.193.61:1194
                      Tue Jul 17 16:26:51 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
                      Tue Jul 17 16:26:51 2018 TLS Error: TLS handshake failed
                      Tue Jul 17 16:26:51 2018 SIGUSR1[soft,tls-error] received, process restarting
                      Tue Jul 17 16:26:53 2018 UDPv4 link local (bound): [undef]
                      Tue Jul 17 16:26:53 2018 UDPv4 link remote: [AF_INET]197.179.193.61:1194
                      Tue Jul 17 16:27:53 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        So you just picked some random public IP.??.. OMG!!!

                        inetnum: 197.176.0.0 - 197.179.255.255
                        netname: SFC-GPRS-EDGE-3G-SERVICE-POOL-SEG1
                        descr: SAFARICOM LTD KENYA

                        Your not getting it!!!

                        What part did you not get about port forwarding at the router?? Why would you be trying to portforward to the lan IP?? When you have pfsense there natting as well?

                        ip nat inside source static udp 10.10.10.1 1194 interface 197.179.193.61 1194

                        That makes ZERO sense...

                        How is that your rfc1918 client is going to talk to that IP? What is routing between them? Did you change the clients IP to be on that 197.x network?

                        Your packet hitting the WAN IP of your router... Where does it have to go to get to pfsense.. The 10 network which is pfsense lan, or pfsense WAN IP... Think about it for a few seconds ;)

                        Maybe they should get someone with better understanding of the basics to do whatever it is your trying to do.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        R 2 Replies Last reply Reply Quote 0
                        • R
                          RuiMiguel @johnpoz
                          last edited by

                          @johnpoz
                          Mister.
                          U r just complicating the thing. I choose a random ip because u r just soo obcessed with public ip. Maybe if u were just a little humble u would really understand that i am using abstration. There is no real public ip. Anyway, thenkx for your golden time!

                          1 Reply Last reply Reply Quote 0
                          • R
                            RuiMiguel @johnpoz
                            last edited by

                            @johnpoz
                            The is no problem in my teste. The only problem was in router forwarding configuration. It should be:
                            ip nat inside source static udp 192.168.2.2 1194 interface 197.179.193.61 1194
                            This way it is up and running. client (172.20.18.185); immaginary public ip address 172.20.18.20.
                            I have some limitations that oblige me do things like i did.
                            So now if i manage to change 172.20.18.20 for a real public ip i would be able to connect to my pfsense from anywhere. i suppuse.
                            Correct me if i am wrong, please

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              I understand your testing of rfc1918 as "internet" I even stated such..

                              I am not complicating anything... You put up a drawing with

                              client rfc1918 --- internet --- made up public IP..

                              How are they suppose to talk to each other if on the same L2?

                              Yes if your test shows you can connected through your router to pfsense, then yes if you put actual public IP on it - you should be able to get to it from the internet.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.