OpenVPN behind main PfSense main GW/FW



  • Hi,

    I have to set up a VPN, which is a pfSense with OpenVPN listening on a non standard UDP port (9194).
    Here is the architecture :

    0_1547721067905_General_PB.png

    This pfSense is behind the main gateway (also on pfSense) which forwards trafic (UDP port 9194) to the VPN but only from my ISP#1 (WAN_1_FIBRE).

    0_1547720884769_NAT.png
    Note : NAT reflection for this rule is set to system defaults

    However I can't connect to the VPN server.
    Actually the OpenVPN gets the datagram (so port forwarding is OK), and replies to it, but the datagram is 'lost' in the main gateway.

    So, the VPN flow looks like :

    0_1547721366595_OpenVPN_flow.png
    Note : When I do packet capture the datagram response is captured on IP_PrivA interface, but there is no corresponding flow in IP_PubA1 interface

    But something else bothers me.
    If I initiate a netcat flow from OpenVPN to IP_pubC, the datagram passes through the main gateway :

    0_1547721474970_Natcat_flow.png
    Note : When I do packet capture the datagram is captured on IP_PrivA interface, and corresponding flow is also present in IP_PubA1 interface

    I feel the problem is related to the NAT on the main gateway, but I'm not sure because of the successful netcat flow.

    The settings on the main GW are :

    • In System / Advanced / Firewall & NAT :
      0_1547722698346_FW2.png
      0_1547722599603_NAT2.png
    • In Firewall / Rules / PrivA_Interface :
      0_1547723088322_FW.png
      Note : problem is the same if I force ISP_#1 GW rather than the WAN_GWS group.
    • In Firewall / NAT / Outbound : Automatic mode

    Help would be appreciated, insanity is not far from me.



  • I have a problem like this to,
    A Openvpn between 2 Pfsense, I can ping both directions, But when i do a nat from wan to tunnel the traffic dont reach the destination.,
    NAT
    Wan-->endpoint A local machine on the other end of tunnel, pingeble,
    If a do a openport test it connects to endpoint and shows open port, But from the outside its not working.



  • Are the VPN endpoints the default gateways in their LANs?

    Have you assigned an interface to the OpenVPN instance on both sites?