Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client connected, no internet or LAN access

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 2 Posters 8.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dean2028
      last edited by

      I went through many threads about this topic, however I'm not able to narrow down this issue.

      I set up OpenVPN server on pfSense to allow mobile devices connected to unsafe hotspots to communicate safe way through my home network. So the goal is to enforce all traffic into the tunnel when connected to VPN. I would like to access to resources on LAN and also access the internet, without allowing any data leakage outside the tunnel (e.g. no direct internet connection from the mobile device through the mobile provider network or wifi).

      Symptom:

      1. OpenVPN Connect client (iPhone) is connected to the VPN server fine (from the mobile network, no wifi enabled).
      2. There's no access to any local lan resource, neither able to open anything in the Safari browser from the internet or LAN.

      Additional info:
      LAN network: 192.168.1.0/24
      VPN tunnel network: 10.1.1.0/24

      VPN server config:

      Server mode: Remote Access (SSL/TLS + User Auth)
      Backend for auth: Local Database
      Protocol: UDP on IPv4 only
      Device mode: tun - Layer 3 Tunnel Mode
      Interface: WAN
      Local port: 1194
      TLS Configuration: Use TLS Key ticked
      Automatically generate a TLS Key: Ticked
      Peer Certificate Authority: CA name what I have on pfSense
      Server certificate - Server certificate created for VPN Server
      DH Parameter Length - 2048 bit
      ECDH Curve: Use Default
      Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
      Enable NCP: Ticked
      NCP Algorithms - Allowed NCP Encryption Algorithms: AES-256-GCM, AES-192-GCM, AES-128-GCM
      Auth digest algorithm: SHA512 (512-bit)
      Hardware Crypto: Intel RDRAND engine - RAND
      Certificate Depth: One (Client+Server)
      Strict User-CN Matching: Ticked (Enforce match)
      IPv4 Tunnel Network - 10.1.1.0/24
      Redirect IPv4 Gateway : Ticked (Force all client-generated IPv4 traffic through the tunnel.)
      Redirect IPv6 Gateway: Unticked
      IPv6 Local network(s): blank
      Concurrent connections - 5
      Compression - Adaptive LZO Compression [Legacy style, comp-lzo adaptive]
      Push Compression: Unticked
      Type-of-Service: Unticked
      Inter-client communication: Ticked
      Duplicate Connection: Unticked
      Dynamic IP: Ticked
      Topology: Subnet - One IP address per client in common subnet
      DNS Default Domain: Ticked
      DNS Default Domain: lan (this is what I use on pfSense)
      DNS Server enable: Ticked
      DNS Server 1: 192.168.1.14 (pfSense, I use pfSense as DNS server with pfBlockerNg)
      Block Outside DNS: Ticked
      Force DNS cache update: Ticked
      NTP Server enable: Unticked
      NetBIOS enable: Unticked
      Custom options: keepalive 5 300;reneg-sec 36000;push "redirect-gateway def1"
      UDP Fast I/O: Unticked
      Send/Receive Buffer: Default
      Gateway creation: IPv4 only
      

      I would appreciate any idea here. Thanks a lot.

      1 Reply Last reply Reply Quote 0
      • D
        dean2028
        last edited by

        This the content of my server2.conf (there's no server1, it was deleted earlier, I have only one VPN server instance):

        dev ovpns2
        verb 1
        dev-type tun
        dev-node /dev/tun2
        writepid /var/run/openvpn_server2.pid
        #user nobody
        #group nobody
        script-security 3
        daemon
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
        proto udp4
        cipher AES-256-CBC
        auth SHA512
        up /usr/local/sbin/ovpn-linkup
        down /usr/local/sbin/ovpn-linkdown
        client-connect /usr/local/sbin/openvpn.attributes.sh
        client-disconnect /usr/local/sbin/openvpn.attributes.sh
        local *<MY WAN IP ADDRESS>*
        engine rdrand
        tls-server
        server 10.1.1.0 255.255.255.0
        client-config-dir /var/etc/openvpn-csc/server2
        username-as-common-name
        plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWxkNFP2WXIgc1D= true server2 1194
        tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn-server' 1"
        lport 1194
        management /var/etc/openvpn/server2.sock unix
        max-clients 5
        push "dhcp-option DOMAIN lan"
        push "dhcp-option DNS 192.168.1.14"
        push "block-outside-dns"
        push "register-dns"
        push "redirect-gateway def1"
        client-to-client
        duplicate-cn
        ca /var/etc/openvpn/server2.ca
        cert /var/etc/openvpn/server2.cert
        key /var/etc/openvpn/server2.key
        dh /etc/dh-parameters.2048
        tls-auth /var/etc/openvpn/server2.tls-auth 0
        ncp-ciphers AES-128-GCM:AES-256-GCM:AES-192-GCM
        comp-lzo adaptive
        persist-remote-ip
        float
        topology subnet
        keepalive 5 300
        reneg-sec 36000
        push "redirect-gateway def1"
        
        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          Have you added a firewall rule to the OpenVPN tab to allow traffic?

          For Internet access, you need an outbound NAT rule for the VPN tunnel network in addition.

          D 1 Reply Last reply Reply Quote 0
          • D
            dean2028 @viragomann
            last edited by

            @viragomann Yes, FW rule is in place and I've tried also with duplicating the Outbound NAT rules and changing the interface from WAN to OpenVPN.

            6e1c4d99-36f1-4c90-9504-c017321c6e0b-kép.png

            Outbound NAT rules:

            301bf5bc-e204-4c49-ab00-ce19eaff75af-kép.png

            D 1 Reply Last reply Reply Quote 0
            • D
              dean2028 @dean2028
              last edited by

              @dean2028 said in OpenVPN client connected, no internet or LAN access:

              ... and I've tried also with duplicating the Outbound NAT rules and changing the interface from WAN to OpenVPN.

              but to be honest, I don't really know what I'm doing here with these, therefore I'm not sure if this makes sense at all as it is now. If I leave it on Automatic, it doesn't work either.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                All you need in the outbound NAT is this rule:
                be882853-5fd4-4a58-8244-082edc8d5f09-image.png
                It seems to be added by pfSense automatically already.

                Try to access the pfSense WebGUI. Try the OpenVPN server IP which is 10.1.1, also try the LAN IP.

                D 1 Reply Last reply Reply Quote 0
                • D
                  dean2028 @viragomann
                  last edited by

                  @viragomann Thanks for confirming the NAT rules.

                  Try to access the pfSense WebGUI. Try the OpenVPN server IP which is 10.1.1, also try the LAN IP.

                  I can reach the pfSense UI login page with both, the LAN IP 192.168.1.14 and the OpenVPN server IP 10.1.1.1.

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    So at least the route to the LAN network works.

                    Ensure that your LAN device does not block the access. If it's running a firewall it probably blocks access from other networks, since you haven't explicitly allowed it.

                    You may use the ping tool from the pfSense Diagnostic menu for investigating. You may try a ping with source address LAN and e.g. OpenVPN to see if it responses.

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      dean2028 @viragomann
                      last edited by

                      Ensure that your LAN device does not block the access. If it's running a firewall it probably blocks access from other networks, since you haven't explicitly allowed it.

                      @viragomann Shame on me... That was it. Thanks for the heads up. I believe the LAN access part solved then. However internet access still doesn't seem to work or at least I'm not able to open anything from the internet in Safari from the phone. Checked the pfSense ping tool to ping a host like google with OpenVPN selected and it seems the IP resolved and ping works.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @dean2028
                        last edited by

                        @dean2028 said in OpenVPN client connected, no internet or LAN access:

                        and it seems the IP resolved

                        That may be the cue here.
                        Have you stated a DNS server in the OpenVPN settings?

                        D 1 Reply Last reply Reply Quote 0
                        • D
                          dean2028 @viragomann
                          last edited by

                          @viragomann Yes and just checked with a tool on the phone that the port is open to the pfSense LAN IP on port 53. However when I try a DNS lookup for an internet host on the phone, I get no response while connected to VPN.

                          D V 2 Replies Last reply Reply Quote 0
                          • D
                            dean2028 @dean2028
                            last edited by

                            That's quite weird. I went to the DNS resolver settings, changed Network interfaces to All from LAN and Localhost. Reconnected with the phone to the vpn and still did not work. Changed the Network interfaces back to LAN and Localhost, applied the settings, then the service chrashed. Started from the DNS resolver from the UI and it works now. Maybe it has something to do with Unbound and pfBlockerNG?

                            1 Reply Last reply Reply Quote 0
                            • V
                              viragomann @dean2028
                              last edited by

                              It’s not the possibility to access DNS port. You have to enter a DNS server in the proper box to push it to the client, otherwise the client won’t have no DNS config.
                              If you’re running the DNS Resolver or Forwarder on pfSense, this may be the IP of the pfSense itself.

                              D 1 Reply Last reply Reply Quote 0
                              • D
                                dean2028 @viragomann
                                last edited by

                                @viragomann I understand, but this was set since the beginning as I wrote in my first post about the config:

                                DNS Server 1: 192.168.1.14 (pfSense, I use pfSense as DNS server with pfBlockerNg)

                                but I tried to add it also manually before to the config by this line, but actually did not change anything:

                                push "dhcp-option DNS 192.168.1.14"
                                

                                What was interesting, I also saw connections earlier from the phone to the pfSense IP on port 53 based on states
                                (Firewall > Rules > OpenVPN, then clicked traffic data in the States column)

                                but something was not good as the DNS server actually not responded to the queries from the phone. At the moment I have that only idea the DNS server service was not in a good condition.

                                Anyway, thanks a lot for your help, I really appreciate your prompt feedbacks!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.