PFSense blocks VPN Connection to company



  • Hi!

    My girlfriend has a company VPN that she needs to connect to but obviously PFSense is blocking the connection.

    According to the website of the VPN connection tool it is a "Secure SSL VPN" which, in my understanding, is basically OpenVPN.

    I tried a lot with rules to let it through but I could not get it to work. The connection is always refused. I tried many settings according to many articles I found on the internet but it always failed when it was trying to connect to an internal url by name.

    My understanding of network ist more than basic but the whole firewall and NAT issue is very new to me.

    Does anybody has a solution?

    Thanks!



  • @brainzina said in PFSense blocks VPN Connection to company:

    Does anybody has a solution?

    First, what is the problem ?
    I presume the company is 'elsewhere' and girlfriend has to do some work from home.

    When you install pfSense at home, all possible connections from LAN are permitted. No exceptions what so ever.
    If something is blocking something, then this is per admin's choice.

    I use pfSense on my work, and at home.
    I have set up the OpenVPN server at work.
    At home, using some PC, on a LAN behind my home pfSense, I can connect just fine to the VPN server at work.

    @brainzina said in PFSense blocks VPN Connection to company:

    but obviously PFSense is blocking the connection.

    Why is it obvious ?
    Images ? Logs ?
    Are you aware of the facts that millions are using VPN connections right now - and a lot are going through pfSense installation ?
    I advise you the fire your pSense admin ;)

    @brainzina said in PFSense blocks VPN Connection to company:

    I tried a lot with rules to let it through but I could not get it to work.

    The default LAN rule, present when you install pfSense, will do the job.

    @brainzina said in PFSense blocks VPN Connection to company:

    I tried many settings according to many articles I found on the internet

    You missed the most obvious one and I can proof it : re install pfSense and your problems are over.
    And you will know why.



  • @brainzina said in PFSense blocks VPN Connection to company:

    According to the website of the VPN connection tool it is a "Secure SSL VPN" which, in my understanding, is basically OpenVPN.

    Not necessarily. While OpenVPN uses SSL/TLS it's not the only method that does. In fact, an ordinary HTTPS connection uses SSL/TLS. Perhaps she should clarify what's needed.



  • It seems nowadays people want to use pfSense as a client to connect to their workspace? Which is not a good tool for that. Use the client recommended by the company!



  • Thanks for your replies!

    @Gertjan said in PFSense blocks VPN Connection to company:

    I presume the company is 'elsewhere' and girlfriend has to do some work from home.
    When you install pfSense at home, all possible connections from LAN are permitted. No exceptions what so ever.
    If something is blocking something, then this is per admin's choice.

    Yes. PFSense at home, company elsewhere.
    My understanding of the firewall way exactly that. This is why I am pretty unsure what causes this problem.

    @Gertjan said in PFSense blocks VPN Connection to company:

    Why is it obvious ?

    Because if I connect the laptop of my girlfriend directly to the modem it works. The WiFi devices are only APs.

    @Gertjan said in PFSense blocks VPN Connection to company:

    I advise you the fire your pSense admin ;)

    That would be myself. Would be easy to do but still, wouldn't solve the problem.

    @Gertjan said in PFSense blocks VPN Connection to company:

    The default LAN rule, present when you install pfSense, will do the job.

    If that is the case, I guess I cannot avoid re-installation.

    @JKnott said in PFSense blocks VPN Connection to company:

    Not necessarily. While OpenVPN uses SSL/TLS it's not the only method that does. In fact, an ordinary HTTPS connection uses SSL/TLS. Perhaps she should clarify what's needed.

    I am on that right now!

    @Bob-Dig said in PFSense blocks VPN Connection to company:

    It seems nowadays people want to use pfSense as a client to connect to their workspace? Which is not a good tool for that. Use the client recommended by the company!

    I tried it exaclty so. PFSense is the router, the VPN software is the one of the company.

    I will wait for the reply of the company regarding the actual VPN but if that brings me further, I will re install the whole router.

    Thanks again!


  • LAYER 8 Global Moderator

    @brainzina said in PFSense blocks VPN Connection to company:

    According to the website of the VPN connection tool it is a "Secure SSL VPN" which, in my understanding, is basically OpenVPN.

    That's like saying all whiskeys are bourbon..

    There are many different SSL based vpns, openvpn being one of them... If what your trying to do is get pfsense to be a client to some company vpn.. Your going to have to get with the IT dept of that company if that is possible.

    Cisco anyconnect is ssl based vpn
    PulseSecure another ssl based vpn



  • @brainzina said in PFSense blocks VPN Connection to company:

    Because if I connect the laptop of my girlfriend directly to the modem it works

    If you use a wired connection to the LAN (wired, this excludes AP issues) using these rules :
    9a730e5d-eaf8-434d-8784-3775c9633940-image.png

    (the second rule isn't important here I guess - I've splitted them up to see what protocol gets used).

    and your DNS has default settings (a broken DNS setup will not allow the VPN client on the PC to resolve, because the connection's used URL can not get resolved) then I can't see why it should not work.

    Take note : this typical usage does not need you to set up the VN server on pfSense, neither a VPN client.

    Typically, you'll be needing one of these https://openvpn.net/community-downloads/
    or the program that the company made available to you. This program, that has to be installed on the laptop computer, has to be setup up using a .ovpn file.

    For pfSense, an outgoing VPN connections is not any different as any other mail/web/ssh/imap/pop/ntp/etc connection.

    If something doesn't work, there is always a log file available with the connection details, telling you want went wrong.



  • Hi!
    It also works with another router.

    As my PFSense installation is a few years old and I tried a lot of things in the last couple of days I will just reset it to factory settings right now.

    Most of the things I once setup I do not use anymore so it will be not that hard to do so.

    I don't like it not to understand the problem but in this case I need a solution and now I have some extra time anyway. ;-)

    I totally understand the fact that I do not need a VPN server or client on my PFSense but just use the connection program of the company.

    Still, is it a problem to have an OpenVPN client running on the PFSense? I do have one that I use from time to time.

    Thanks!



  • @brainzina said in PFSense blocks VPN Connection to company:

    Still, is it a problem to have an OpenVPN client running on the PFSense? I do have one that I use from time to time.

    No, have running one all the time myself.


  • LAYER 8 Global Moderator

    Yeah I have a vpn client connected to one of my vps 24/7 - use it for testing when helping in threads that are doing vpn client connection. I don't route any traffic out it normally - but its connected all the time.. If I ever want a box to use the vpn its simple policy route change in the firewall rules.



  • @brainzina said in PFSense blocks VPN Connection to company:

    I will wait for the reply of the company regarding the actual VPN but if that brings me further, I will re install the whole router.

    Before you do anything, find out what the company requires. All pfSense can do is provide a VPN. The company might uses something else. If they say use OpenVPN, then they should provide the details. Before you know that, you're wasting your time and effort.



  • @brainzina said in PFSense blocks VPN Connection to company:

    Because if I connect the laptop of my girlfriend directly to the modem it works.

    Many companies will install the necessary VPN software on the user's computer. If this is the case, then you may have to configure some rules. However, until you know, we don't either and can't provide useful advice.



  • I resolved it in disabling the DNS Resolver.

    Now it works.


  • LAYER 8 Global Moderator

    So your whatever you were trying to access couldn't be resolved by the resolver - for why? You could not talk to the authoritative NS, it was failing dnssec?

    What is the specific fqdn that would not resolve? If you don't want to post it, send it to me via PM.. and I will look into what might be wrong and prevent resolution.



  • @brainzina said in PFSense blocks VPN Connection to company:

    I resolved it in disabling the DNS Resolver.

    Interesting.
    Stopping DNS facilities normally breaks things, that's a fact..
    Try for yourself : can you see packages on this page : System >> Package Manager >> Available Packages now ?
    With no DNS, pfSense can't resolve for your network anymore, neither for itself. Example : update checks.

    There is something 'non standard' that you didn't tell us ... yet.



  • Actually I don't get it.

    In the dialog box of the VPN client on the laptop it tried to connect to several internal urls (with .local). It listed some internal DNS servers and the PFSense.
    After deactivating the DNS Resolver it listed the internal DNS servers and the two Google DNS servers I added.

    My setup is re installed. I changed nothing except some static DHCP Leases.


  • LAYER 8 Global Moderator

    @brainzina said in PFSense blocks VPN Connection to company:

    it tried to connect to several internal urls (with .local).

    Well that would never resolve unless it was local and was using mdns.. A misconfig on the client without a domain might try and resolve just a host name by looking for host.local, etc.

    But pointing a client to an external DNS sure and the F would not allow it to resolve anything with a .local TLD..

    More than happy to help you figure out what was/is going on - but need some details... What specific FQDN is your vpn client suppose to connect too? This should be easy enough to see in the client vpn configuration.



  • I really don't really get it. Not PFSense assigns the DNS servers (I used the Google ones) directly to the clients. So on my computer right now I see these DNS servers.

    @Gertjan said in PFSense blocks VPN Connection to company:

    Try for yourself : can you see packages on this page : System >> Package Manager >> Available Packages now ?

    Yes, that works.

    The VPN connection is OpenVPN. The config file ist relatively regular, it connects to an IP.
    The connection establishing seems to work with a different program. that first tries to connect to other servers. Unfortunately there is no config file for this program. It seems that it trys some hosts by IP then adds internal DNS servers and then trys to connect to some internal URLs by name. And that is what did not work before I disabled the resolver.

    The IT department of the company is overloaded so they are not available for a little chat right now.



  • @johnpoz said in PFSense blocks VPN Connection to company:

    But pointing a client to an external DNS sure and the F would not allow it to resolve anything with a .local TLD..

    What happens if the VPN-client app was launched on a PC ?
    The "external DNS" for a device doesn't matter then, it could have been overridden by the remote VPN company DNS server. That one could resolve 'local' URL like .local just fine, handinh over a "local IP" before resolving other, global hostnames.
    Isn't this how companies set up the PC's VPN clients of there road warriors ?! The VPN server's DNS 'sees' all the DNS requests of their employees, and can pass/block whatever they need ?



  • That was my understanding too but it did not work. Ironically it work with other DNS servers as the one of my PFSense.


Log in to reply