OpenVPN between pfSense and Ubiquiti EdgeRouter X

Sam721

Hi,

I'm trying to connect an Ubiquiti Edge Router X to my pfSense. I want to use OpenVPN. Here is my configuration:

pfSense:
LAN: 192.168.10.1
Local network: 192.168.10.0/24
Tunnel: 10.10.10.0/24
Remote: 192.168.20.0/24

EdgeRouter config.ovpn:

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
client
resolv-retry infinite
remote XXX.XXX.XXX.XXX 1194 udp
lport 0
verify-x509-name "C=XX, ST=XX, L=XXXXXXXX, O= XXXXXXXX, emailAddress=xxxxxx@xxxxxxxxxxx.xxx, CN=XXXXXX" subject
remote-cert-tls server
comp-lzo adaptive
pkcs12 /config/openvpn/XXXXXXXXXXXXXXXXXX.p12

The tunnel is online. I can ping from the Ubiquiti EdgeRouter network the pfSense ip address.

What doesn't work, is the way back. How can I connect from the pfSense network (192.168.10.0/24) to the EdgeRouter network (192.168.20.0/24).

I am grateful for any help!

isolatedvirus

Have you modified the default LAN "allow any" rule? If so, please include screen shots of the firewall configuration.

If not, its possible the issue is on the ubiquiti side. You can confirm by performing a packet capture on the OVPN interface on pfsense and looking for outbound ICMP packets to your ubiquiti network.

Edit: you've entered a static route for this network on PFSense side, correct?

Sam721

No, I didn't change the LAN "allow any" rule.

Here is the output from the packet capture:

09:56:43.328526 IP 10.10.10.1 > 192.168.20.1: ICMP echo request, id 49185, seq 0, length 64
09:56:44.395256 IP 10.10.10.1 > 192.168.20.1: ICMP echo request, id 49185, seq 1, length 64
09:56:45.435837 IP 10.10.10.1 > 192.168.20.1: ICMP echo request, id 49185, seq 2, length 64

I put this line in my pfSense VPN Server configuration:

route 192.168.20.0 255.255.255.0;

Any suggestions? Or is the problem on Ubiquiti side?

Thank you

isolatedvirus

Issue is on the Ubiquiti side, and could be a missing route or a firewall rule / ACL missing.

Ping from Ubiquiti -> PFsense works
Ping from PFS -> Ubiquiti does not show return traffic.

Can you ping anything behind the ubiquiti?

Sam721

No I also cannot ping something behind the Ubiquiti. It's the same here:

10:56:42.316339 IP 10.10.10.1 > 192.168.20.38: ICMP echo request, id 33924, seq 0, length 64
10:56:43.348849 IP 10.10.10.1 > 192.168.20.38: ICMP echo request, id 33924, seq 1, length 64
10:56:44.366996 IP 10.10.10.1 > 192.168.20.38: ICMP echo request, id 33924, seq 2, length 64

So you think it's the firewall of the Ubiquiti? Are you familiar with firewall rules on the EdgeRouter? I don't know which rule is needed.

Thank you

isolatedvirus

@sam721 said in OpenVPN between pfSense and Ubiquiti EdgeRouter X:

the Ubiquiti? Are you familiar with firewall rules on the EdgeRouter? I don't know which rule is needed.

I'm not familiar with how to set firewall rules on an ubiquiti edge router.

The rule youre going to need though is to allow the pfsense lan subnet to talk to the ubiquiti subnet. I'd also ensure NAT is NOT enabled for either side, so you can see the subnet IP's. This isnt a need as much as its a nice to have in case you ever need to figure out which specific client on one of those is misbehaving.