Configuration questions

zkab · Jan 19, 2020, 3:29 PM

I want to setup pfsense and OpenVPN and have read the documentation.
Also I don't want to use the DNS servers provided by my ISP ... want to use Googles DNS servers.
Have some configuration questions (have very little knowledge of pfsense).
Here is what I understand should be ... or have I missed something?

System/General Setup:
DNS Servers:
8.8.8.8 (Gateway none)
8.8.4.4 (Gateway none)
DNS Server Override (unchecked)
Disable DNS Forwarder (checked)

Services/DNS Forwarder:
Enable DNS forwarder (unchecked) ... default since Unbound requires that the DNS Forwarder be disabled

Services/DNS Resolver/General Settings:
DNS resolver (checked)
DNS Query Forwarding:
Enable Forwarding Mode (checked)
Use SSL/TLS for outgoing DNS Queries to Forwarding Servers (unchecked)

For pfsense/OpenVPN there are a lot of tutorials I will follow ... hopefully I will get it airborne ... if not I will be back.

johnpoz · Jan 19, 2020, 4:29 PM

Yeah that would do it.

but you wouldn't really want to check disable forwarder in the general tab.
"Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall"

If you do, pfsense would not be able to resolve your own local resources, either through dhcp/dhcp reservation registration or any host overrides you put in for your local hosts.. Since google sure not going to know about your local host names.

zkab · Jan 19, 2020, 5:14 PM

OK ... understand what you mean ...
Thanks for your support

zkab · Jan 20, 2020, 9:13 PM

I followed the OpenVPN Wizard and I am not sure about some configurations.

When I looked at VPN/OpenVPN/Servers in the Advanced Client Settings:

DNS Default Domain ... Provide a default domain name to clients (checked)
DNS Default Domain ... Is that the domain I have given in System/General Setup section?
DNS Server enable ... Provide a DNS server list to clients. Addresses may be IPv4 or IPv6 (checked)
DNS Server 1 ... is it 192.168.1.1 (pfsense) or Google DNS 8.8.8.8

I also installed 'openvpn-client-export' and downloaded 'Inline Configuration for Android'.
Then I imported the .ovpn file to OpenVPN for Android ... connection went OK but I can't access or ping any sites on Internet.
I can ping devices on my LAN.
Could 1)-4) above be the problem?

johnpoz · Jan 20, 2020, 9:49 PM

What did you hand your client for dns? What are you trying to query... Make sure you can query it - out of the box pfsense unbound would not allow tunnel IP to query it, since it would not be listed in the automatic ACLs that are created.. Simple enough to test by doing a nslookup or dig directly to NS you sent to the client..

zkab · Jan 21, 2020, 3:10 PM

I want that connecting clients will use DNS given in System/General Setup (Googles DNS).

I changed to accept the default values (blanks) at VPN/OpenVPN/Servers in the Advanced Client Settings:

DNS Default Domain ... Provide a default domain name to clients (unchecked)
DNS Server enable ... Provide a DNS server list to clients. Addresses may be IPv4 or IPv6 (unchecked)
DNS Server 1-4 (blank)

Now I can access sites on Internet as well as ping devices on my LAN.
I have a question though ...
When I change from one website to another I get for a short second error message telling my that connection was interrupted and
after that the website is shown ... can this timing message be suppressed?

stephenw10 · Jan 21, 2020, 3:46 PM

What sort of latency are you seeing from the client to external sites?

I wouldn't expect to see that unless it really high.

Steve

zkab · Jan 21, 2020, 4:22 PM

As I said the message shows for a short time (0.5 seconds) but still it is annoying ...
I have a feeling the message shows when I switch from domestic websites to international sites and back ... not when I check domestic sites.
It is in Swedish but translated it looks like this ...

Connection was broken
A network change was discovered

stephenw10 · Jan 21, 2020, 5:25 PM

Ok but what sort or RTT are you seeing to whatever site caused that when you;re connected to tunnel? It would have to be huge....

Seems more likely you're seeing the result of some traffic going directly and other traffic going through the tunnel.

Steve

zkab · Jan 22, 2020, 11:53 AM

When I make a ping RTT varies from time=1.62 ms to time=124 ms for the sites.
The amount information I get from accessing the websites are not huge ... just plain website data.
I can't see any pattern ... it is more random.
You mentioned 'Seems more likely you're seeing the result of some traffic going directly and other traffic going through the tunnel' ... but
I don't understand why 'pfsense/openvpn' navigate the result differently ... I have in 'Tunnel Settings' checked 'Redirect Gateway' (Force all client
generated traffic through the tunnel).

Is it a 'pfsense/OpenVPN' or 'OpenVPN for Android' problem?
Is there some kind of log where I can see what is going on?

stephenw10 · Jan 22, 2020, 5:31 PM

1.62ms seems very low, too low for any logical connection especially if that's over cellular.

124ms seems high but could be correct for cellular+VPN.

I'm not aware of any issue with the Android OpenVPN client, it does seem like a client issue though. Can you test from a different client?

You might be seeing blocked TCP traffic in the pfSense firewall log is packets are not being sent both ways.

Steve

zkab · Jan 27, 2020, 12:12 PM

OK ... I tested with Windows client & Chrome.
When I access websites there is the usual Chrome message in the left bottom corner (for a short second) ... waiting for xxx ... before I get the website.
I guess that is the same problem I had in Android so as I understand the problem is on the serverside and not on the client side ...
How do I proceed to get openvpn working?

stephenw10 · Jan 27, 2020, 2:57 PM

It is working as I understand it, you said you were able to connect to internal resources and external sites no?

I assume of you go to a 'whatismyIP' type site it reports the public IP of the server as your traffic is going through that?

Steve

zkab · Jan 27, 2020, 3:49 PM

It is working more or less ... still the ANNOYING network error message.
If my mobile is at 4G mobile network then I can't reach my resources on my internal network.
With my limited knowledge I had the feeling that I it didn't matter if my mobile is on a public open network or a GSM 4G network I could always reach my OpenVPN server.

stephenw10 · Jan 27, 2020, 10:43 PM

It shouldn't make any difference how you're connected unless your provider is filtering OpenVPN traffic maybe. Unlikely.

As long as there is no subnet conflict between the server side LAN you're trying to reach and the subnet you're connecting from.

But check the public IP you are routing from to see how that traffic is flowing. It really looked like you were routing only some traffic over the tunnel which will cause all sorts of issues.

Steve

zkab · Jan 28, 2020, 1:56 PM

I rebooted pfsense and my mobile and all of a sudden I can reach my internal devices when I am on 4G network.
I use an app call 'PingTools Network Utilities' and it shows following (beeing on 4G & vpn):

Mobile: 100.98.184.83
4G Gateway: 100.98.184.83
Internat: my dyn-dns ip-address (which is correct)

My internal network is 192.168.1.0/24 and I can ping (beeing on 4G & vpn) 192.168.1.7 which is good.
And I can reach all external websites also ... but still the network error message.

When my mobile is on a public open network vpn works OK ... except the network error message.

WhatsMyIp gives me as I understand correct values ...

4G & vpn - my dyn-dns ip-address
public open network & vpn - my dyn-dns ip-address
4G without vpn - another ip that is not my dyn-dns ip-address (guess that is from my mobile operator) ... which is correct

As I understand openvpn is working OK and all traffic is routed over the tunnel.
Can the latency error message be solved ... is it a openvpn server or openvpn android client issue?

stephenw10 · Jan 28, 2020, 3:03 PM

Seems like an Android issue if you are not seeing it in Windows.

zkab · Jan 28, 2020, 3:36 PM

OK ... I will check their forum
Thanks for your patience and support

zkab · Feb 11, 2020, 12:03 PM

I understand that network change is not a call of openvpn ... it should be handle by OS (Android).
But ERR_NETWORK_CHANGED occurs only when I run openvpn ... so where do I see what kind of network change has occurred?
Log file for opnvpn client on Android or openvpn server?
I don't see in which end I should start.
The error message drives me crazy ...

stephenw10 · Feb 11, 2020, 1:24 PM

The network change is almost certainly between the direct connection and the VPN connection. Though it seems it can also be cause by intermittent IPv6.
What do you actually need the Android client to do here? Route all traffic? Just access the internal LAN?
You could put in a client specific override so it doesn't redirect all traffic which would likely solve it as most traffic would then use the local connection.

This is an Android/Chrome problem though, there's little we can do about it in pfSense.

Steve