OpenVPN suddenly stopped working
-
I installed OpenVPN last week and had it running. Then "something" broke. Clearly the problem is the one behind the keyboard, but I've spent some time troubleshooting this and can't figure it out. Any help would be appreciated.
- OpenVPN is set up and (seemingly) configured OK, via the wizard
- From my Android phone, I can establish a VPN session and the UX indicates the session is good
- PFSense detects the incoming VPN request and the client shows up (according to the OpenVPN widget on the home page - disconnect from the client and it disappears, as expected)
- The OpenVPN client receives an IP address in the range I would expect
- Two rules exist as created by the OpenVPN wizard - on the WAN interface allowing UDP traffic to WAN addresses plus another one, on the OpenVPN interface, allowing all traffic.
So, all LOOKS like it's set up but I don't see any meaningful traffic reported to my LAN. I've tried hitting various hosts on the LAN (a Blue Iris server and other services) but pftop reports no traffic coming on for the IP address assigned. The only thing I see, for that IP address, is multicast traffic.
I can't see anything obvious in terms of rules that would block traffic, but assume pftop would show traffic even if blocked by a rule (is that correct?).
Obviously I missing something pretty simple here. Any suggestions?
Thank you.
-
No you wouldn't see it there if it was blocked. A packet capture on the OpenVPN interface would show it.
But if you have a pass all rule on the OpenVPN interface that should be passed and open firewall states. It sounds more like the client is not getting the correct routes to access the LAN subnet remotely. Or cannot apply those routes.
A common cause of that is when the client is in a subnet that conflicts with the LAN so the route cannot be added.Steve
-
Thank you for the response, Steve. I wasn't aware of the packet capture option on the OpenVPN interface, so thank you for the pointer.
I enabled capture on the OpenVPN interface, stopped and viewed the capture but nothing showing up. That's confusing to me, especially since the client session is being recognized, as I invoke the session, by the widget on the home page.
The OpenVpn client (Android) reports an assigned address of 192.168.99.2, as anticipated. My LAN is 192.168.1.0/24, so I don't believe there's a conflict there.
Is there some way I can validate the routes added to the client?
Thank you again.
-
I figured this out. Turns out the Local IP Networks field for the tunnel was empty. I have no idea how that happened (I was running just fine with OpenVPN) for a week or so). Anyway, setting that did the trick and I'm all set.
Thank you again.
-
ip route show table 0
will give you the current routes in Android. At least it does on my older device.Had you done that you would have found 192.168.1.0/24 via the openvpn server IP was missing. Adding it as a local network there is what causes the server to pass that route to the clients.
Glad you found it.Steve