OpenVPN client connected, no internet or LAN access



  • I went through many threads about this topic, however I'm not able to narrow down this issue.

    I set up OpenVPN server on pfSense to allow mobile devices connected to unsafe hotspots to communicate safe way through my home network. So the goal is to enforce all traffic into the tunnel when connected to VPN. I would like to access to resources on LAN and also access the internet, without allowing any data leakage outside the tunnel (e.g. no direct internet connection from the mobile device through the mobile provider network or wifi).

    Symptom:

    1. OpenVPN Connect client (iPhone) is connected to the VPN server fine (from the mobile network, no wifi enabled).
    2. There's no access to any local lan resource, neither able to open anything in the Safari browser from the internet or LAN.

    Additional info:
    LAN network: 192.168.1.0/24
    VPN tunnel network: 10.1.1.0/24

    VPN server config:

    Server mode: Remote Access (SSL/TLS + User Auth)
    Backend for auth: Local Database
    Protocol: UDP on IPv4 only
    Device mode: tun - Layer 3 Tunnel Mode
    Interface: WAN
    Local port: 1194
    TLS Configuration: Use TLS Key ticked
    Automatically generate a TLS Key: Ticked
    Peer Certificate Authority: CA name what I have on pfSense
    Server certificate - Server certificate created for VPN Server
    DH Parameter Length - 2048 bit
    ECDH Curve: Use Default
    Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
    Enable NCP: Ticked
    NCP Algorithms - Allowed NCP Encryption Algorithms: AES-256-GCM, AES-192-GCM, AES-128-GCM
    Auth digest algorithm: SHA512 (512-bit)
    Hardware Crypto: Intel RDRAND engine - RAND
    Certificate Depth: One (Client+Server)
    Strict User-CN Matching: Ticked (Enforce match)
    IPv4 Tunnel Network - 10.1.1.0/24
    Redirect IPv4 Gateway : Ticked (Force all client-generated IPv4 traffic through the tunnel.)
    Redirect IPv6 Gateway: Unticked
    IPv6 Local network(s): blank
    Concurrent connections - 5
    Compression - Adaptive LZO Compression [Legacy style, comp-lzo adaptive]
    Push Compression: Unticked
    Type-of-Service: Unticked
    Inter-client communication: Ticked
    Duplicate Connection: Unticked
    Dynamic IP: Ticked
    Topology: Subnet - One IP address per client in common subnet
    DNS Default Domain: Ticked
    DNS Default Domain: lan (this is what I use on pfSense)
    DNS Server enable: Ticked
    DNS Server 1: 192.168.1.14 (pfSense, I use pfSense as DNS server with pfBlockerNg)
    Block Outside DNS: Ticked
    Force DNS cache update: Ticked
    NTP Server enable: Unticked
    NetBIOS enable: Unticked
    Custom options: keepalive 5 300;reneg-sec 36000;push "redirect-gateway def1"
    UDP Fast I/O: Unticked
    Send/Receive Buffer: Default
    Gateway creation: IPv4 only
    

    I would appreciate any idea here. Thanks a lot.



  • This the content of my server2.conf (there's no server1, it was deleted earlier, I have only one VPN server instance):

    dev ovpns2
    verb 1
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local *<MY WAN IP ADDRESS>*
    engine rdrand
    tls-server
    server 10.1.1.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server2
    username-as-common-name
    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWxkNFP2WXIgc1D= true server2 1194
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn-server' 1"
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    max-clients 5
    push "dhcp-option DOMAIN lan"
    push "dhcp-option DNS 192.168.1.14"
    push "block-outside-dns"
    push "register-dns"
    push "redirect-gateway def1"
    client-to-client
    duplicate-cn
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    ncp-ciphers AES-128-GCM:AES-256-GCM:AES-192-GCM
    comp-lzo adaptive
    persist-remote-ip
    float
    topology subnet
    keepalive 5 300
    reneg-sec 36000
    push "redirect-gateway def1"
    


  • Have you added a firewall rule to the OpenVPN tab to allow traffic?

    For Internet access, you need an outbound NAT rule for the VPN tunnel network in addition.



  • @viragomann Yes, FW rule is in place and I've tried also with duplicating the Outbound NAT rules and changing the interface from WAN to OpenVPN.

    6e1c4d99-36f1-4c90-9504-c017321c6e0b-kép.png

    Outbound NAT rules:

    301bf5bc-e204-4c49-ab00-ce19eaff75af-kép.png



  • @dean2028 said in OpenVPN client connected, no internet or LAN access:

    ... and I've tried also with duplicating the Outbound NAT rules and changing the interface from WAN to OpenVPN.

    but to be honest, I don't really know what I'm doing here with these, therefore I'm not sure if this makes sense at all as it is now. If I leave it on Automatic, it doesn't work either.



  • All you need in the outbound NAT is this rule:
    be882853-5fd4-4a58-8244-082edc8d5f09-image.png
    It seems to be added by pfSense automatically already.

    Try to access the pfSense WebGUI. Try the OpenVPN server IP which is 10.1.1, also try the LAN IP.



  • @viragomann Thanks for confirming the NAT rules.

    Try to access the pfSense WebGUI. Try the OpenVPN server IP which is 10.1.1, also try the LAN IP.

    I can reach the pfSense UI login page with both, the LAN IP 192.168.1.14 and the OpenVPN server IP 10.1.1.1.



  • So at least the route to the LAN network works.

    Ensure that your LAN device does not block the access. If it's running a firewall it probably blocks access from other networks, since you haven't explicitly allowed it.

    You may use the ping tool from the pfSense Diagnostic menu for investigating. You may try a ping with source address LAN and e.g. OpenVPN to see if it responses.



  • Ensure that your LAN device does not block the access. If it's running a firewall it probably blocks access from other networks, since you haven't explicitly allowed it.

    @viragomann Shame on me... That was it. Thanks for the heads up. I believe the LAN access part solved then. However internet access still doesn't seem to work or at least I'm not able to open anything from the internet in Safari from the phone. Checked the pfSense ping tool to ping a host like google with OpenVPN selected and it seems the IP resolved and ping works.



  • @dean2028 said in OpenVPN client connected, no internet or LAN access:

    and it seems the IP resolved

    That may be the cue here.
    Have you stated a DNS server in the OpenVPN settings?



  • @viragomann Yes and just checked with a tool on the phone that the port is open to the pfSense LAN IP on port 53. However when I try a DNS lookup for an internet host on the phone, I get no response while connected to VPN.



  • That's quite weird. I went to the DNS resolver settings, changed Network interfaces to All from LAN and Localhost. Reconnected with the phone to the vpn and still did not work. Changed the Network interfaces back to LAN and Localhost, applied the settings, then the service chrashed. Started from the DNS resolver from the UI and it works now. Maybe it has something to do with Unbound and pfBlockerNG?



  • It’s not the possibility to access DNS port. You have to enter a DNS server in the proper box to push it to the client, otherwise the client won’t have no DNS config.
    If you’re running the DNS Resolver or Forwarder on pfSense, this may be the IP of the pfSense itself.



  • @viragomann I understand, but this was set since the beginning as I wrote in my first post about the config:

    DNS Server 1: 192.168.1.14 (pfSense, I use pfSense as DNS server with pfBlockerNg)

    but I tried to add it also manually before to the config by this line, but actually did not change anything:

    push "dhcp-option DNS 192.168.1.14"
    

    What was interesting, I also saw connections earlier from the phone to the pfSense IP on port 53 based on states
    (Firewall > Rules > OpenVPN, then clicked traffic data in the States column)

    but something was not good as the DNS server actually not responded to the queries from the phone. At the moment I have that only idea the DNS server service was not in a good condition.

    Anyway, thanks a lot for your help, I really appreciate your prompt feedbacks!


Log in to reply