Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot access administration when connected on VPN

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wastapi
      last edited by

      I cannot access pfsense administration when I am connecting through VPN (open VPN).

      Pfsense administration is the ONLY interface I cannot access within the network, the other machines are accessible.

      Any clue? Thanks

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Show your OpenVPN and Firewall Rules configuration (screenshots).

        -Rico

        GertjanG W 2 Replies Last reply Reply Quote 0
        • GertjanG
          Gertjan @Rico
          last edited by

          And have a look at this video - 7 minutes and 49 seconds.

          Do exactly the same thing, and you have it working.

          Have a look at the other - older, but still valid and usefull - OpenVPN video's from Netgate.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            As I said in your other thread you only need routes and firewall rules to allow that.
            It appears you are routing all traffic over the tunnel so check the rules.

            The pfSense gui will listen on all IPs on the firewall. Can you reach it on any IP?

            Steve

            1 Reply Last reply Reply Quote 0
            • W
              Wastapi @Rico
              last edited by Wastapi

              @rico, @stephenw10 @Gertjan !
              Thanks for your help. Here is a series of screenshots that might help you help me.
              You guys are amazing!!! :) :)

              https://www.dropbox.com/sh/zbcxeaujmmfo4xf/AADDmYE3XDL2uZdbG62Ihayfa?dl=0

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                What interfaces do you have in bridge0?

                You have assigned the server as an interface but still have a pass all rule on the openvpn group interface so the server specific rules are not actually passing anything.

                You have used the system alias 'OPENVPN_INTERFACE net' but you're using a TAP connection so the 'OPENVPN_INTERFACE' has no subnet. That alias is invalid there.

                Steve

                W 1 Reply Last reply Reply Quote 0
                • W
                  Wastapi @stephenw10
                  last edited by

                  Thanks @stephenw10

                  What interfaces do you have in bridge0?
                  I provided all screenshots to my configurations. I am not too sure what to answer to this.

                  You have assigned the server as an interface but still have a pass all rule on the openvpn group interface so the server specific rules are not actually passing anything.

                  I thought my * * rule was pretty open there. Maybe there is something I don't grasp from your remark

                  You have used the system alias 'OPENVPN_INTERFACE net' but you're using a TAP connection so the 'OPENVPN_INTERFACE' has no subnet. That alias is invalid there.

                  Sorry, I am not too sure where you mean TAP was setup. So here again I am confused.

                  Thanks for the help again. Maybe if you are interested and think you can help me, I am open for a paid support from you after you check my setup? you can private message me if this is interesting.

                  Thanks

                  stephenw10S 1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator @Wastapi
                    last edited by

                    You have not shown which interfaces are in the bridge interface though.
                    Interfaces > Assignments > Bridges

                    If you pass traffic on the global openvpn tab and not the assigned interface you do not get reply-to tagged to states opened on it.

                    You have setup the OpenVPN server, in the server config, as TAP (Later 2) mode. That means it is bridged to at least one local interface and does have an IP or subnet itself. Hence the system alias 'OPENVPN_INTERFACE net' is invalid.

                    Steve

                    W 1 Reply Last reply Reply Quote 0
                    • W
                      Wastapi @stephenw10
                      last edited by

                      @stephenw10
                      I just added these image to my folder ( https://www.dropbox.com/sh/zbcxeaujmmfo4xf/AADDmYE3XDL2uZdbG62Ihayfa?dl=0 )

                      IMG_0486.JPG
                      IMG_0490.JPG
                      IMG_0489.JPG
                      IMG_0488.JPG
                      IMG_0487.JPG

                      You have assigned the server as an interface but still have a pass all rule on the openvpn group interface so the server specific rules are not actually passing anything.

                      You mean in my rules?! Sorry not clear to me what I should do here. :/

                      You have used the system alias 'OPENVPN_INTERFACE net' but you're using a TAP connection so the 'OPENVPN_INTERFACE' has no subnet. That alias is invalid there.

                      You mean in the OpenVPN > Servers I should change a configuration for the device mode?

                      Thanks again.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Ok great I see that. That looks OK for a TAP connection.

                        Using TAP is generally far more complex though. The only reason to do so is if you need the OpenVPN clients to be in the same subnet as the local resources. If you don't need that just use TUN mode.

                        You should be passing the incoming connections on the assigned openvpn server tab not the global openvpn tab.
                        So remove or diable the rules on OpenVPN. Add a pass all rule, using source any, on the 'OPENVPN_Interface' tab.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.