OpenVPN server via stunnel @pfsense - routing not working

jacotec

Hi,

perparing a business trip to China (where I need to have a working VPN to my home) I've read that the most secure way that the VPN works is to tunnel the OVPN through stunnel as even OVPN over port 443/TCP with TLS-crypt is described to be blocked by the GFW.

I've set this up with the stunnel package in pfsense, I can establish the OVPN connection but finally I can't ping my internal hosts nor connect to the internet through the tunnel. Something is missing.

I've set up an OVPN server, listening on port 443 TCP on an internal interface (10.0.0.5).

Using a NAT rule to route port 8443 from the WAN to 10.0.0.5:443 via NAT works just fine. I can connect with the client and reach all internal hosts and the internet via my pfsense.

I've configured stunnel to listen on the internal interface 10.0.0.2 port 8443. Forwarding to 10.0.05 port 443 (my VPN server).

I now change the NAT to route WAN port 8443 to 10.0.0.2:8443 (the stunnel server). When I connect the OVPN client via stunnel now, I can establish the OVPN connection from the client just fine. But I can't ping any internal host nor reach the internet.

So, the working config:

--> WAN port 8443 --> [pfS NAT] --> 10.0.0.5:443 [OVPN server)

And that's what not works:

--> WAN port 8443 --> [pfS NAT] --> 10.0.0.2:8443 [stunnel] --> 10.0.0.5:443 [OVPN server]

What did I miss?

JKnott

@jacotec said in OpenVPN server via stunnel @pfsense - routing not working:

What did I miss?

You might have some "fun" getting through the Great Firewall of China. Using an unauthorized VPN is illegal there. A fried of mine worked in China for a while and couldn't get a firewall to work.