NAT Hairpinning for OpenVPN Server
-
I'm running a OpenVPN Server on the pfsense router. I can connect to it just fine from the Internet, but not from inside my network. I understand that NAT Hairpinning is probably the problem. Has anybody got this working? Any instructions on how to achieve it?
-
Why would you want to do that?
If you connect from the same network that is the Local network in OpenVPN that won't work.
-
The OpenVPN network and the network of the VPN client are different networks.
I have my phone set to require to send all traffic over VPN. But on WiFi the connection fails to connect and thus no data is transferred. This also allows you to connect to an Open WiFi network, with VPN for encryption.
-
OK. Where does NAT come into play? Are you port forwarding your OpenVPN connections into WAN to somewhere else?
-
So on your on your local wifi network - and you want to vpn to your pfsense public IP vpn server, to talk to your local network?? Huh??
-
Sounds like he wants to connect and talk to the internet, but be protected while on his inside unsecured wifi.
Seems that should "just work" but I have never tried it. If the same hostname is used to connect to as is the name of the firewall there are probably hosts file entries pointing that name to an inside address. That won't work.
-
VPN endpoint DNS entry is a public DNS name, pointing to the WAN IP of the router.
My traffic flow is:
WiFi VLAN -> WAN IP -> OpenVPN on PFSense
Near as I can tell all my firewall rules should allow this. I figure it's being blocked by NAT Hairpinning, as it's a common issue when you have a flow like this:
WiFi VLAN -> WAN IP -> LAN IP VPN Server
-
You can for sure connect to your public IP from your lan side - that is not a hairpin your just coming from the lan side.. Are you forwarding traffic that hits your public IP on your vpn port to loopback or something?
Are you saying its not connecting? What are you rules on the interface your wifi connection?
-
If you don't think it's a hairpinning issue, I'll check my firewall rules again.
Is there any way to watch the packet hit pfsense, and see where it's trying to route it?
-
Look at the created states. Probably filtering on the OpenVPN port is a good place to start.
-
You having a problem resolving the dynamic dns your pointing to your public IP? What are the firewall rules on interface wifi is connected to?
My question is more to what is the point of doing this in the first place - is your own local wifi a hostile network? Who else is on this wifi network?
-
I went through my firewall rules, and everything looked good. Dug into the VPN logs, and I can see the client trying to connect. I figured it was erroring out from routing issues with NAT Hairpinning. Figured out that it's trying to use IPv6. I disabled all IPv6 related options, and now it connects fine.
Now the VPN connects from my phone, regardless of what network I'm connected to. Doesn't matter if it's LTE or WiFi, it seemlessly transitions between both. So now I don't have to constantly toggle the VPN on and off whenever I leave my house.
Any vulnerabilities in WPA2 are now mitigated via the VPN:
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
-
That should of been addressed by your client and your AP as well. For example unifi release firmware back in oct 2017 to address 3.9.3 anything above should be fine.
But sure being able to leave the vpn on makes it simple.
