WAN IP address changed - OpenVPN no longer working

foxpc123 · Oct 24, 2020, 11:55 AM

Hi All,
I'm quite new to PFSENSE and so my experience with this firewall is limited.

Our ISP has changed our static IP range, and so have created amended WAN, created new gateway and added new virtual IP's.

All port forwards to our external services, phone system etc., are all working fine. None of the firewall rules have been changed.

I've amended our OpenVPN config so that this tries to connect using the new WAN IP - however, I get this error on the client;

Sat Oct 24 12:32:10 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.125.107.50:1194
Sat Oct 24 12:32:10 2020 UDP link local (bound): [AF_INET][undef]:1194
Sat Oct 24 12:32:10 2020 UDP link remote: [AF_INET]185.125.107.50:1194
Sat Oct 24 12:33:10 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 24 12:33:10 2020 TLS Error: TLS handshake failed
Sat Oct 24 12:33:10 2020 SIGUSR1[soft,tls-error] received, process restarting

This is the firewall rule for Open VPN

I can see in the dynamic log there appears to be a block but it's not clear why with that rule in place;

Any help gratefully received.

JKnott · Oct 24, 2020, 12:38 PM

@foxpc123

Did you recreate the client?

foxpc123 · Oct 24, 2020, 1:09 PM

Hi @jknott I edited the existing config file within open vpn and changed the IP address so it matches the new IP - how do I recreate the client?

JKnott · Oct 24, 2020, 2:30 PM

@foxpc123

On the client export page, down at the bottom are the buttons for exporting it.

johnpoz · Oct 24, 2020, 2:48 PM

You mention vips.. A rule on your wan that allows access to wan address, would not = a vip address.

Is your wan rfc1918? That block you show is to a rfc1918 address..

foxpc123 · Oct 24, 2020, 3:26 PM

@JKnott yes I've exported a new one and I get the same result

foxpc123 · Oct 24, 2020, 3:30 PM

@johnpoz wan is a public IP address range which we use to NAT to various hosts on the private side - they are all working o.k. and we can port forward to each host fine.

The OpenVPN server is using the main WAN (default) IP address.

Rico · Oct 24, 2020, 4:19 PM

pfSense is your edge Firewall with the OpenVPN server running there?
What is 192.168.0.255 ?
Make sure your OpenVPN server is set to WAN as the Interface.

-Rico

foxpc123 · Oct 24, 2020, 5:31 PM

@Rico

yes pfsense is the edge firewall.

The OpenVPN server is set to the WAN IP address.

The 192.168.0.255 is our Unifi video device - have checked the firewall rules and 1194 is set to the same WAN IP, so am at a loss why 1194 traffic would appear to be routed towards Unifi video.

johnpoz · Oct 24, 2020, 5:37 PM

That is not how I would read that traffic... To me pfsense WAN saw traffic to 192.168.0.255 on port 1194... Why that would be?? Could be noise from your ISP L2? Or the L2 your pfsense wan is connected to if not directly connected to your isp... You could have leakage from your lan L2 onto your wan.. Not sure how you have everything connected together.

So either that was a broadcast, or directed - Are you not using /24s 192.168.0.255 with /24 mask would be the directed broadcast address for 192.168.0.0/24, but sure with a 192.168.0/23 or bigger than yeah that could be a actual host address.

Is BT your ISP?

foxpc123 · Oct 24, 2020, 5:55 PM

@johnpoz

I think it is routed as the originating IP address in that screen shot is my IP address (which is BT) which I was using to try and get an OpenVPN connection to the remote pfsense.

I have inherited this pfsense from a predecessor and there are a lot of 1:1 mappings which are not entirely clear what they are for.

Looking at 1:1 mapping I can see one from WAN IP to 192.168.0.255 - which would probably explain why the OpenVPN 1194 is going from the WAN Ip to that IP address.

For my education really why have 1:1 mapping if you have firewall rules what is the benefit of 1:1 over a firewall rule?

foxpc123 · Oct 24, 2020, 6:11 PM

@johnpoz - actually hold fire I've just gone back over the 1:1 mappings and there are two which are incorrect - I'm just changing those now

johnpoz · Oct 24, 2020, 6:18 PM

@foxpc123 said in WAN IP address changed - OpenVPN no longer working:

why have 1:1 mapping if you have firewall rules what is the benefit of 1:1 over a firewall rule?

That is good question ;)

While there are reasons you would use 1:1 - normally you would do that if you wanted to map a block of public space to block of rfc1918 space, ie 1:1 public.X would go to private.X etc.

A 1:1 setup would maintain static source ports on outbound traffic, and bypass the outbound rules completely, etc.

Would have to know more about your setup to try and figure out why they would of used 1:1 vs just normal port forwarding.. If you had lots an lots of ports you wanted to forward - 1:1 could be a shortcut to allowing all of them - but it comes with risks, etc. And if you don't fully know what your doing you could expose stuff you don't want to expose.

foxpc123 · Oct 24, 2020, 6:18 PM

@johnpoz Thank you for pointing me in the right direction - "To me pfsense WAN saw traffic to 192.168.0.255 on port 1194... Why that would be??"

That was the catalyst, when I checked the 1:1 mapping there was a reference there which said WAN so I'd mistakenly transposed that for the new default WAN IP address - when it should have been the 'new' external IP for the Unifi Video - once I'd checked back over the 'old' addresses I could see that the wrong external WAN IP address was being used and so OpenVPN requests were being 1:1 translated to that LAN. Once this was corrected the OpenVPN connections are now working fine.

Thanks very much for your help.