SOLVED Help | OpenVPN Server to Access LAN Ressources | Not Working

skalyx · Jan 22, 2020, 4:40 PM

Hello,
I am looking to set up OpenVPN on my PFSense to allow myself to access my home LAN on 4G and when I am abroad mainly for RDP to my desktop. However, I am having some problems. Please refer to the image below to understand my simplified LAN without unnecessary nodes and to https://imgur.com/a/cHjOyJZ for the OpenVPN configuration and firewall configurations.

If not working, please refer to here

My PfSense has a dynamic DNS configured which allows my public IP to be found by the client. It does work. However, it seems my VPN client cannot reach/connect to the OpenVPN server (PfSense). Please refer to the image below:

If not working, please refer to here

It, nevertheless, work when I am trying to connect to the OpenVPN server when I am in the LAN (not on 4G, for ex). Block private networks and loopback addresses are unchecked in Interfaces > WAN. I tried both UDP and TCP and cannot find any firewall logs or OpenVPN logs regarding it.

Thanks,

viragomann · Jan 21, 2020, 6:31 PM

@skalyx said in Help | OpenVPN Server to Access LAN Ressources | Not Working:

I tried both UDP and TCP and cannot find any firewall logs or OpenVPN logs regarding it.

Probably no packet reaches the pfSense WAN interface.

You have to forward UDP 1194 or whatever protocol/port you use on the ISP router.
Maybe there is on option to set the pfSense WAN as exposed host or DMZ or something like that.

You can sniff the packets on pfSense with Diagnostic > Packet Capture to investigate if packets are arriving.

skalyx · Jan 21, 2020, 10:12 PM

@viragomann
Thanks for the answer. I just have activated DMZ to my PfSense, but what should I do next?
Please refer to the following link to understand what I did with my ISP router:
https://imgur.com/a/oHcmM7M

Edit: My packet capture diagnosis does not show anything... No packet reaches my PfSense router...

viragomann · Jan 21, 2020, 11:40 PM

@skalyx said in Help | OpenVPN Server to Access LAN Ressources | Not Working:

Please refer to the following link to understand what I did with my ISP router:
https://imgur.com/a/oHcmM7M

The first picture shows a port forwarding, the second one the DMZ config.
Both look plausible for me, but I don't know if you need both settings.

However, on pfSense the port forwarding is incorrect. There is no need for a forwarding at all when your OpenVPN servers are listening on WAN interface. So you may delete it.

skalyx · Jan 21, 2020, 11:43 PM

@viragomann
Sure, thanks. Sadly, it does not work... Do you have an idea?
Thanks,

viragomann · Jan 22, 2020, 3:08 AM

Shurely, that does nothing for getting the OpenVPN packets on the WAN interface of pfSense.
The problem will be in front of pfSense.

I don’t know, how to configure your router to forward the traffic. Is there an option to bridge it?
Also possible that your ISP blocks the traffic.

skalyx · Jan 22, 2020, 3:08 AM

@viragomann Hello,

Thanks for your answer. Sadly, we cannot bridge it. The firewall on my ISP firewall, however, is set to allow everything... I will try to change the port to 5552 or any random port and try... Maybe my ISP is blocking it. Is there any NAT problem or anything else I can try?

I have a RJ11 VDSL (110Mbits up and 40mbits down). Would it be possible to buy a RJ11 to RJ45 adapter and plug it into my pfsense and set everything to DHCP? Would it work?

Thanks,

viragomann · Jan 22, 2020, 2:56 PM

@skalyx said in Help | OpenVPN Server to Access LAN Ressources | Not Working:

I have a RJ11 VDSL (110Mbits up and 40mbits down). Would it be possible to buy a RJ11 to RJ45 adapter and plug it into my pfsense and set everything to DHCP? Would it work?

No, that's DSL which pfSense is not capable to handle.
pfSense can do a PPPoE connection, if the modem supports that. This way you will get your public IP on the WAN of pfSense.

Can you confirm that you get a public IP from your ISP and a CGN (https://en.wikipedia.org/wiki/Carrier-grade_NAT)?

kiokoman · Jan 22, 2020, 3:10 PM

it seems to me that the internal host is wrong on the picture https://imgur.com/a/oHcmM7M
internal host should be 192.168.3.1 but i think you can remove that rules now that you have put pfsense on dmz
also that port forward is wrong on pfsense
packet go from (WAN IP) isp modem 192.168.3.2 ->to -> pfsense 192.168.3.1 where there should be the openvpn server listening

skalyx · Jan 22, 2020, 4:40 PM

@viragomann Hello, thanks for the answer. I do get the public IP.

@kiokoman It WORKS!!! I am so happy. Many thanks. I deactivated the DMZ settings and I changed the NAT rules to 192.168.3.1 in place of 192.168.1.1 and it just works... Stupid mistakes are sometimes the most difficult ones to find.
Many thanks to you, Viragomann & Kiokoman. I really appreciate!