Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    TAP, can't access OpenVPN Server external IP address

    OpenVPN
    1
    1
    241
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Turek last edited by Turek

      Hi!
      I have a very simple bridge situation:
      OpenVPN Server, pfsense,
      tap
      External IP (for example): 1.1.1.1
      OpenVPN server port: 1111

      OpenVPN Client, pfsense,
      tap.

      I have good connectivity between any clients behind both servers in both directions.

      But I can't access 1.1.1.1 from OpenVPN Client side.
      There is nothing wrong with OpenVPN config itself.

      Let's say I have completely independent server 2.2.2.2. If I'm doing port forwarding (with NAT) from 2.2.2.2:1111 to 1.1.1.1:1111, and changing OpenVPN server address to 2.2.2.2 (So now I'm connecting to 1.1.1.1 via 2.2.2.2), I'm suddenly having a connection to 1.1.1.1 services! While loosing the ability to connect to 2.2.2.2.

      So the problem is exactly with OpenVPN client in TAP mode, which filters direct connections to openvpn server ip address.
      Packet sniffing shows data goes through connection at the client side, but nothing arrives at server side. It seems like the problem lays on the client side.

      What am I'm missing there?

      P.S. The client config is here, but I don't see anything suspicious:

      dev ovpnc3
verb 1
dev-type tap
dev-node /dev/tap3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.253
engine cryptodev
tls-client
client
lport 0
management /var/etc/openvpn/client3.sock unix
remote 1.1.1.1 1111 (fictional ip)
ca /var/etc/openvpn/client3.ca 
cert /var/etc/openvpn/client3.cert 
key /var/etc/openvpn/client3.key 
tls-crypt /var/etc/openvpn/client3.tls-crypt 
ncp-ciphers AES-128-GCM
comp-lzo no
resolv-retry infinite
fast-io
mssfix 1400

fragment 1400

sndbuf 393216

rcvbuf 393216

mlock

fast-io

      P.S. To clarify things:

      pfsense1.png

      When I use port forwarding proxy, there's nothing wrong with 1.1.1.1

      pfsense2.png

      UPD:
      Just confirmed the very same behavior with freshly installed OPNSense, which suggests the reason to be quite deep inside.

      UPD2: Okay, I found the workaround, but it's obviously very messy:
      I've created a port forwarding proxy at the client side. So now, pfSense OpenVPN client connects to local proxy (which is actually behind this pfSense firewall), and the proxy forwards traffic to the actual Server ip address.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy