Configuration questions



  • I want to setup pfsense and OpenVPN and have read the documentation.
    Also I don't want to use the DNS servers provided by my ISP ... want to use Googles DNS servers.
    Have some configuration questions (have very little knowledge of pfsense).
    Here is what I understand should be ... or have I missed something?

    System/General Setup:
    DNS Servers:
    8.8.8.8 (Gateway none)
    8.8.4.4 (Gateway none)
    DNS Server Override (unchecked)
    Disable DNS Forwarder (checked)

    Services/DNS Forwarder:
    Enable DNS forwarder (unchecked) ... default since Unbound requires that the DNS Forwarder be disabled

    Services/DNS Resolver/General Settings:
    DNS resolver (checked)
    DNS Query Forwarding:
    Enable Forwarding Mode (checked)
    Use SSL/TLS for outgoing DNS Queries to Forwarding Servers (unchecked)

    For pfsense/OpenVPN there are a lot of tutorials I will follow ... hopefully I will get it airborne ... if not I will be back.


  • LAYER 8 Global Moderator

    Yeah that would do it.

    but you wouldn't really want to check disable forwarder in the general tab.
    "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall"

    If you do, pfsense would not be able to resolve your own local resources, either through dhcp/dhcp reservation registration or any host overrides you put in for your local hosts.. Since google sure not going to know about your local host names.



  • OK ... understand what you mean ...
    Thanks for your support



  • I followed the OpenVPN Wizard and I am not sure about some configurations.

    When I looked at VPN/OpenVPN/Servers in the Advanced Client Settings:

    1. DNS Default Domain ... Provide a default domain name to clients (checked)
    2. DNS Default Domain ... Is that the domain I have given in System/General Setup section?
    3. DNS Server enable ... Provide a DNS server list to clients. Addresses may be IPv4 or IPv6 (checked)
    4. DNS Server 1 ... is it 192.168.1.1 (pfsense) or Google DNS 8.8.8.8

    I also installed 'openvpn-client-export' and downloaded 'Inline Configuration for Android'.
    Then I imported the .ovpn file to OpenVPN for Android ... connection went OK but I can't access or ping any sites on Internet.
    I can ping devices on my LAN.
    Could 1)-4) above be the problem?


  • LAYER 8 Global Moderator

    What did you hand your client for dns? What are you trying to query... Make sure you can query it - out of the box pfsense unbound would not allow tunnel IP to query it, since it would not be listed in the automatic ACLs that are created.. Simple enough to test by doing a nslookup or dig directly to NS you sent to the client..



  • I want that connecting clients will use DNS given in System/General Setup (Googles DNS).

    I changed to accept the default values (blanks) at VPN/OpenVPN/Servers in the Advanced Client Settings:

    1. DNS Default Domain ... Provide a default domain name to clients (unchecked)
    2. DNS Server enable ... Provide a DNS server list to clients. Addresses may be IPv4 or IPv6 (unchecked)
    3. DNS Server 1-4 (blank)

    Now I can access sites on Internet as well as ping devices on my LAN.
    I have a question though ...
    When I change from one website to another I get for a short second error message telling my that connection was interrupted and
    after that the website is shown ... can this timing message be suppressed?


  • Netgate Administrator

    What sort of latency are you seeing from the client to external sites?

    I wouldn't expect to see that unless it really high.

    Steve



  • As I said the message shows for a short time (0.5 seconds) but still it is annoying ...
    I have a feeling the message shows when I switch from domestic websites to international sites and back ... not when I check domestic sites.
    It is in Swedish but translated it looks like this ...

    Connection was broken
    A network change was discovered

    Error.jpg


  • Netgate Administrator

    Ok but what sort or RTT are you seeing to whatever site caused that when you;re connected to tunnel? It would have to be huge....

    Seems more likely you're seeing the result of some traffic going directly and other traffic going through the tunnel.

    Steve



  • When I make a ping RTT varies from time=1.62 ms to time=124 ms for the sites.
    The amount information I get from accessing the websites are not huge ... just plain website data.
    I can't see any pattern ... it is more random.
    You mentioned 'Seems more likely you're seeing the result of some traffic going directly and other traffic going through the tunnel' ... but
    I don't understand why 'pfsense/openvpn' navigate the result differently ... I have in 'Tunnel Settings' checked 'Redirect Gateway' (Force all client
    generated traffic through the tunnel).

    Is it a 'pfsense/OpenVPN' or 'OpenVPN for Android' problem?
    Is there some kind of log where I can see what is going on?


  • Netgate Administrator

    1.62ms seems very low, too low for any logical connection especially if that's over cellular.

    124ms seems high but could be correct for cellular+VPN.

    I'm not aware of any issue with the Android OpenVPN client, it does seem like a client issue though. Can you test from a different client?

    You might be seeing blocked TCP traffic in the pfSense firewall log is packets are not being sent both ways.

    Steve



  • OK ... I tested with Windows client & Chrome.
    When I access websites there is the usual Chrome message in the left bottom corner (for a short second) ... waiting for xxx ... before I get the website.
    I guess that is the same problem I had in Android so as I understand the problem is on the serverside and not on the client side ...
    How do I proceed to get openvpn working?


  • Netgate Administrator

    It is working as I understand it, you said you were able to connect to internal resources and external sites no?

    I assume of you go to a 'whatismyIP' type site it reports the public IP of the server as your traffic is going through that?

    Steve



  • It is working more or less ... still the ANNOYING network error message.
    If my mobile is at 4G mobile network then I can't reach my resources on my internal network.
    With my limited knowledge I had the feeling that I it didn't matter if my mobile is on a public open network or a GSM 4G network I could always reach my OpenVPN server.


  • Netgate Administrator

    It shouldn't make any difference how you're connected unless your provider is filtering OpenVPN traffic maybe. Unlikely.

    As long as there is no subnet conflict between the server side LAN you're trying to reach and the subnet you're connecting from.

    But check the public IP you are routing from to see how that traffic is flowing. It really looked like you were routing only some traffic over the tunnel which will cause all sorts of issues.

    Steve



  • I rebooted pfsense and my mobile and all of a sudden I can reach my internal devices when I am on 4G network.
    I use an app call 'PingTools Network Utilities' and it shows following (beeing on 4G & vpn):

    Mobile: 100.98.184.83
    4G Gateway: 100.98.184.83
    Internat: my dyn-dns ip-address (which is correct)

    My internal network is 192.168.1.0/24 and I can ping (beeing on 4G & vpn) 192.168.1.7 which is good.
    And I can reach all external websites also ... but still the network error message.

    When my mobile is on a public open network vpn works OK ... except the network error message.

    WhatsMyIp gives me as I understand correct values ...

    1. 4G & vpn - my dyn-dns ip-address
    2. public open network & vpn - my dyn-dns ip-address
    3. 4G without vpn - another ip that is not my dyn-dns ip-address (guess that is from my mobile operator) ... which is correct

    As I understand openvpn is working OK and all traffic is routed over the tunnel.
    Can the latency error message be solved ... is it a openvpn server or openvpn android client issue?


  • Netgate Administrator

    Seems like an Android issue if you are not seeing it in Windows.



  • OK ... I will check their forum
    Thanks for your patience and support



  • I understand that network change is not a call of openvpn ... it should be handle by OS (Android).
    But ERR_NETWORK_CHANGED occurs only when I run openvpn ... so where do I see what kind of network change has occurred?
    Log file for opnvpn client on Android or openvpn server?
    I don't see in which end I should start.
    The error message drives me crazy ...


  • Netgate Administrator

    The network change is almost certainly between the direct connection and the VPN connection. Though it seems it can also be cause by intermittent IPv6.
    What do you actually need the Android client to do here? Route all traffic? Just access the internal LAN?
    You could put in a client specific override so it doesn't redirect all traffic which would likely solve it as most traffic would then use the local connection.

    This is an Android/Chrome problem though, there's little we can do about it in pfSense.

    Steve



  • Thanks again ... I understand this is an Android/Chrome problem and I really appreciate that you take your time to help me.
    Getting support from Google is dead end ... they don't care about their customers at all.
    What I want to do with Android client is to access my LAN and Internet in a safe mode when I am on 4G or public wifi.
    You mentioned ... it seems it can also be cause by intermittent IPv6 ... how can I test that?
    The OpenVPN server is running in pfSense connected to my LAN.


  • Netgate Administrator

    Well that seemed to be what people were suggesting in Google's forum. Nothing definitive.
    You can disable it behind pfSense but otherwise I'm not sure how you might disable it in Android globally. I imagine you can find a wifi location without IPv6 though.

    Try setting up the VPN for just you local subnet rather than all traffic and see if you still see issues.
    I can imagine both local connections and the VPN are trying to be the default route. Usually OpenVPN just set's itself and there's no problem though.

    Steve


Log in to reply