OpenVPN setup on pfsense and something I'm missing...
kaisai last edited by kaisai
I try to setup OpenVPN on pfSense.
My goal is to have a static IP on the internet that I can connect to, to get into my home network.
I don't want traffic to go out to the internet through this route, except the one that was initiated through the VPS (port forwarded).
My situation somehow like this:
What I already worked out:
- I set up an OpenVPN server on a VPS
- I also got the OpenVPN client working on the pfSense, so the tunnel is up and running, so I can ping 10.1.1.1 from 10.1.1.2 and vice versa.
What I'm struggling with is the routing between the tunnel network (10.1.1.0/24) and my home networks (several VLANs with subnets like 192.168.x.0/24):
- If I try to ping some machine in my local network from the VPS (10.1.1.1), I can see the traffic going over the tunnel (in the traffic graph), but nothing arrives at my machine (checked with wireshark)
- If I try to ping 10.1.1.1 from somewhere in my local network (e.g. 192.168.1.100), I there's no traffic on the tunnel
- If I traceroute my local network machine from the pfSense (source 10.1.1.2) then it seems to be stuck directly at the gateway:
1 10.1.1.2 39.255 ms 33.299 ms 31.461 ms
2 10.1.1.2 62.069 ms 62.753 ms 54.512 ms
3 10.1.1.2 59.731 ms 90.618 ms 81.735 ms
4 10.1.1.2 88.704 ms 85.744 ms 111.079 ms
So I'm sure I must be missing something but I just don't grasp it.
I'm already working on this setup for some days now, so I beg for your help :)
Finally, my configs:
server.conf on the VPS:
port 1194 proto udp dev tun tls-version-min 1.2 cipher AES-256-CBC auth SHA512 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 ca ca.crt cert server_stargate01.crt key server_stargate01.key # This file should be kept secret dh dh.pem topology subnet server 10.1.1.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 126.96.36.199" comp-lzo no keepalive 10 120 tls-auth ta.key 0 # This file is secret user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 client-config-dir ccd client-to-client route 192.168.1.0 255.255.255.0 route 192.168.2.0 255.255.255.0 push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0"
ifconfig-push 10.1.1.2 255.255.255.255 iroute 192.168.1.0 255.255.255.0 iroute 192.168.2.0 255.255.255.0
In the OpenVPN client configuration on the pfSense, I got these settings (condensed to the most important. Ask if you need anything else):
- Server mode: peer to peer (SSL/TLS)
- Protocol: UDP on IPv4 only
- Device mode: tun
- IPv4 Tunnel network(s): empty
- IPv4 Remote network(s): empty
- Topology: subnet
- Don't pull routes: unchecked
- Don't add/remove routes: checked
- Custom options: empty
- Gateway creation: IPv4 only
- Address family: IPv4
- Gateway: 10.1.1.2
Everything else is default.