VPN not working after ISP Switch

SilverJS · Oct 22, 2018, 6:47 PM

Hey all,

Switched to a different ISP but my VPN doesn't work anymore since I did. ISP is technically the same, seeing as the new one just buys wholesale access to my previous ISP's network.

Anyway - after plugging in the new modem and letting it do its thing, I got an e-mail from my pfSense box saying that the DynDNS IP address had been updated to reflect my new public IP. So far so good - but now, I just get the spinning wheel when trying to connect on my phone, and eventually an error dialog in the app (OpenVPN). If I pull down the notification shade while it's trying to connect, the notification says "Waiting for server". I even tried re-uploading the OpenVPN Config file (profile) but, as I suspected, no dice there (had the exact same name too).

I called the new ISP's tech support to see if there was any kind of filtering going on, but was told no. (I disabled the modem's internal WiFi and DHCP servers as well, BTW.)

This setup has been treating me basically flawlessly for the last 3 years, and I did move once in those three years so had to go through this process, and I seem to recall the change was pretty seamless. Not this time, I guess.

Any ideas? Let me know how I can help you help me, if you need anything.

Much appreciated!

johnpoz · Oct 22, 2018, 6:50 PM

Is your new ISP device doing nat? Your pfsense got a public IP on its wan?

Does your dyndns and this IP match up? Sniff on pfsense wan - does it see the inbound traffic to your openvpn port? What does the openvpn log say? If the traffic never gets to pfsense then not possible for pfsense or openvpn to do anything with it.

SilverJS · Oct 22, 2018, 7:08 PM

@johnpoz said in VPN not working after ISP Switch:

Is your new ISP device doing nat? Your pfsense got a public IP on its wan? Does your dyndns and this IP match up?

A-HA! No it does not! =) The WAN address on the pfSense box is the typical 192.168.x.x (.0.10 in this case), where as my public IP starts with 209. Either way, vastly different.

So - I guess I can't remember how it was previously, but I assume that the public IP, and the pfSense WAN address, have to match up, right? (That would make sense to me, but that doesn't always mean much!) If that's the case, I just have to find a way to configure the new ISP's modem to be totally passthrough then.

Looking forward to your answer - and, terribly appreciate the thoroughness and promptness of your previous one, thank you!

johnpoz · Oct 22, 2018, 7:10 PM

So your ISP device is NATTING your public IP to pfsense wan IP then this 192.168.. You need to make sure you forward on your isp device to pfsense WAN IP the ports your using for your vpn.

SilverJS · Oct 22, 2018, 7:29 PM

By poking around in the ISP modem/router's settings, I found one that allowed me to do Mac address passthrough - I copy-pasted my pfSense WAN interface's Mac, and Poof, all was well!

I suppose I could have done a port forward for the specific port only, but given that my traffic only goes direct to the pfSense box (which acts as my firewall), I think this is acceptable - thoughts?