OpenVPN setup on pfsense and something I'm missing...



  • Hi everyone

    I try to setup OpenVPN on pfSense.
    My goal is to have a static IP on the internet that I can connect to, to get into my home network.
    I don't want traffic to go out to the internet through this route, except the one that was initiated through the VPS (port forwarded).

    My situation somehow like this:
    network

    What I already worked out:

    • I set up an OpenVPN server on a VPS
    • I also got the OpenVPN client working on the pfSense, so the tunnel is up and running, so I can ping 10.1.1.1 from 10.1.1.2 and vice versa.

    What I'm struggling with is the routing between the tunnel network (10.1.1.0/24) and my home networks (several VLANs with subnets like 192.168.x.0/24):

    • If I try to ping some machine in my local network from the VPS (10.1.1.1), I can see the traffic going over the tunnel (in the traffic graph), but nothing arrives at my machine (checked with wireshark)
    • If I try to ping 10.1.1.1 from somewhere in my local network (e.g. 192.168.1.100), I there's no traffic on the tunnel
    • If I traceroute my local network machine from the pfSense (source 10.1.1.2) then it seems to be stuck directly at the gateway:
      1 10.1.1.2 39.255 ms 33.299 ms 31.461 ms
      2 10.1.1.2 62.069 ms 62.753 ms 54.512 ms
      3 10.1.1.2 59.731 ms 90.618 ms 81.735 ms
      4 10.1.1.2 88.704 ms 85.744 ms 111.079 ms

    So I'm sure I must be missing something but I just don't grasp it.
    I'm already working on this setup for some days now, so I beg for your help :)

    Finally, my configs:

    server.conf on the VPS:

    port 1194
    proto udp
    dev tun
    tls-version-min 1.2
    cipher AES-256-CBC
    auth SHA512
    tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
    ca ca.crt
    cert server_stargate01.crt
    key server_stargate01.key  # This file should be kept secret
    dh dh.pem
    topology subnet
    server 10.1.1.0 255.255.255.0
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 8.8.8.8"
    comp-lzo no
    keepalive 10 120
    tls-auth ta.key 0 # This file is secret
    user nobody
    group nogroup
    persist-key
    persist-tun
    status /var/log/openvpn/openvpn-status.log
    log         /var/log/openvpn/openvpn.log
    log-append  /var/log/openvpn/openvpn.log
    verb 3
    explicit-exit-notify 1
    
    client-config-dir ccd
    client-to-client
    
    route 192.168.1.0 255.255.255.0
    route 192.168.2.0 255.255.255.0
    push "route 192.168.1.0 255.255.255.0"
    push "route 192.168.2.0 255.255.255.0"
    

    ccd/client file:

    ifconfig-push 10.1.1.2 255.255.255.255
    
    iroute 192.168.1.0 255.255.255.0
    iroute 192.168.2.0 255.255.255.0
    

    In the OpenVPN client configuration on the pfSense, I got these settings (condensed to the most important. Ask if you need anything else):

    • Server mode: peer to peer (SSL/TLS)
    • Protocol: UDP on IPv4 only
    • Device mode: tun
    • IPv4 Tunnel network(s): empty
    • IPv4 Remote network(s): empty
    • Topology: subnet
    • Don't pull routes: unchecked
    • Don't add/remove routes: checked
    • Custom options: empty
    • Gateway creation: IPv4 only

    Gateway settings:

    • Address family: IPv4
    • Gateway: 10.1.1.2

    Everything else is default.

    Thanks
    Kaisai


Log in to reply