Can connect to OpenVPN Server but loose access



  • hi i have OpenVPN Server running on the pfsense for remote access got the certs and rules setup
    when i connect with my cell phone from the network or from a remote location OpenVPN Client connects i get the green light.. but then i loose all internet.. what would normally cause that???
    here is the rule i set
    0_1536409950390_openvpn1.JPG .. let me know any other pics needed


  • Rebel Alliance Global Moderator

    Why in the world would you have a gateway setup on your wan rule? Makes ZERO sense.



  • well i followed the Pfsense Tutorial from Cross Talk
    https://www.youtube.com/watch?v=Q6YbCQEiC3c

    and im guessing its because its for incomming connections from the Wan port.
    im guessing thats the reason?
    why where should it be under LAN? i can copy it and make it to lan


  • Rebel Alliance Global Moderator

    If they told you to put a gateway on your wan rule then their instructions are completely BORKED!! You would never do such a thing.. Nor would you put it on your lan rules..

    I just skimmed through that video - they don't show putting a gateway on the wan rule.

    0_1536414136276_wanrules.png



  • ok so where would you put the port 1195 rule then in nat? or would i put it under the remoteaccess heading then?


  • Rebel Alliance Global Moderator

    Your 1195 port is setup on the server, and you have to allow that on your WAN - you just would not set a gateway on the rule!

    15 min to setup a vpn server... My gawd these people love to hear themselves go on an on... Should be like 3 minute video ;)



  • 8:40 seconds they choose the WAN setting and put the 1195 on the wan rule

    not sure what you mean i wouldnt set a gateway on the rule


  • Rebel Alliance Global Moderator

    Here this is wrong

    0_1536414429361_wangatewayrulepng.png



  • if you mean instead of a * for gateway and where i have it set for WAN_PPOPE
    i dont want it going through the VPN service i just want it to bypass the vpn connection so its not double encrypted and slow down my connection more? if thats what you mean

    as i have some computers on VPN and some things bypassed the VPN and i figure setting it the WAN_PPOE that when i connect with my cell it goes to the WAN interface and not my nordvpn interface..


  • Rebel Alliance Global Moderator

    If you want to policy route clients on your lan side networks to use vpn or normal gateway you would do that on the lan side rules, NOT on the wan rule allowing access to your vpn server from the outside world



  • ah i not sure.. what i need?
    im just the only user its my home network.. i wanna be able to connect when im not at home to my pfsense to access my local network
    and i figured i need to set it to wanppoe as then it wouldnt use nordvpn..
    as i figured the default gateway now is the nordvpn as thats how its set up on the lan side.. but ill change it back to *

    i figured since you can set which gateway id set it to the one that bypass's the nordvpn service... thanks for the help so far

    i guess the only time ud change that is if you had 2 wan ports maybe?



  • ok i set it back to * what else do i check as it still doesnt work0_1536414898100_openvpn2.JPG



  • here my lan rules0_1536415005121_openvpn3.JPG


  • Rebel Alliance Global Moderator

    Well your forcing all your lan net clients out your nordvpn connection, so how would they get to your vpn clients..

    You need a rule above that that lets dest to your tunnel network (your vpn clients IPs) to use normal routing so pfsense can send the traffic back out the vpn connection.



  • well how i thought it was. was the computers on the local network when they want internet they would be forced to use the vpn service

    but if im away from home when i access my network it bypassthe vpn service

    so how would that rule look like im guessing it goes in the LAN section just above the nordvvpn canada lan and under the xbox bypass vpn

    always learning i appreciate the help so far



  • would it look like this 0_1536415815525_openvpn4.JPG
    source is coming from the wan address to the lan ips


  • Rebel Alliance Global Moderator

    What is you want exactly? If you want to get to your lan clients then you would need a rule above where you force them out your nordvpn to get to your tunnel network.

    Also that 3rd rule makes zero sense as well.. If your blocking 192.168.0.5 from talking to your wan address - why would it have a gateway??

    I think you need to take a look at the pfsense book that is available about policy routing.


  • Rebel Alliance Global Moderator

    NO it would not look like that... When would wan address ever be a source into your lan interface.. I think there is a disconnect on how rules are evaluated..



  • i want all my computers on my home network to go out the NordVPN when im at home

    when im say at a friends house i wanna connect to my home network access all my computers and not go through the NordVPN by pass it.. as that be double vpn and then my internet be even slower would it not???

    the 3rd line is for my downloading computer.. so when the NordVPN stops working that downloading computer can not use regular internet.. it forces that it can not use the wan_ppoe gateway ever... as if you disable nordvpn client on pfsense the downloading computer keeps downloading.. and i wanted a kill switch so if nordvpn goes down so does the downloading computer

    well then i not sure how to do it then i need pictures

    welll if the wan address source is never to be used under lan why is it an option

    i thought its so for any WaN incomming WAN side connections it goes directly to the LAN address's

    then i lost


  • Rebel Alliance Global Moderator

    Well your 3rd rule doesn't do what you think it does... downloading stuff from the internet is not dest of your wan address.. All that is whatever your wan address is.

    What is your tunnel network? If its 10.0.8/24 for example then create a rule above your nord policy route that says if dest 10.0.8 NO gateway set.

    When you vpn in, if you have your vpn clients set to use vpn ad def gateway - ie route all traffic then it would use your normal connection and not your nordvpn. As long as your actually policy routing that and not pulling routes from the connection so your default route is nord..



  • well it seemed to work.. if it doesnt work then how you make the kill switch so if vpn service is down no interenet traffic may goto that computer..

    and my tunnel network is 192.168.0.100/24 and my local is 192.168.0.0/24

    and i have set the do not pull routes under the nordvpn


  • Rebel Alliance Global Moderator

    Sorry but if something is working how you want, its not because of that rule.. Sorry but that rules says block if you source is 192.168.0.5 as the IP and its dest is your wan address.. Lets say that is 1.2.3.4 then block it.. It has ZERO use or need of a gateway since its a block rule to start with.

    And going to say 4.5.6.7 some public IP on the internet is NOT your wan address of 1.2.3.4 so that rule would not even trigger..

    What I suggest you do is read the book on policy routing and how rules are evaluated on the firewall..

    Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. There is plenty of info on a "kill switch" Derelict I believe did a whole long how to on it somewhere.. There might even be a hangout on it? Which are now available on youtube vs those hey bring traffic to my site because I have pfsense in my subject..



  • im sure im done this wrong.. and not trying to get you mad.. just learning as i go
    and ok ill check out that stuff

    reason i put the block on is.. its below the NordVPN and doesnt that mean
    yes when NordVPN service is working it does that rule.. but if the NordVPN is offline it would skip that rule right ..or does it still keep that rule... as thats the reason i put that block below nordvpn incase the service would shut off then the rule gets skipped and goes to allow it..
    because the last line is your Default Lan so when the NordVPN goes down.. i still can use the internet im just not behind it anymore...

    so thats how i thought it worked
    NordVPN up -----> all computers are behind vpn
    NordVPN goes down -----> blocks the 1 computer... ---->runs last rule that allows rest of the computers to access the internet...

    thought thats how those rules worked i have set....

    as for the block of the tunnell here is the image but im sure i did it wrong.. but im trying and ill google the info you mentioned thanks so far0_1536417090501_openvpn5.JPG