Cannot access administration when connected on VPN
-
I cannot access pfsense administration when I am connecting through VPN (open VPN).
Pfsense administration is the ONLY interface I cannot access within the network, the other machines are accessible.
Any clue? Thanks
-
Show your OpenVPN and Firewall Rules configuration (screenshots).
-Rico
2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100
-
And have a look at this video - 7 minutes and 49 seconds.
Do exactly the same thing, and you have it working.
Have a look at the other - older, but still valid and usefull - OpenVPN video's from Netgate.
-
As I said in your other thread you only need routes and firewall rules to allow that.
It appears you are routing all traffic over the tunnel so check the rules.The pfSense gui will listen on all IPs on the firewall. Can you reach it on any IP?
Steve
-
@rico, @stephenw10 @Gertjan !
Thanks for your help. Here is a series of screenshots that might help you help me.
You guys are amazing!!! :) :)https://www.dropbox.com/sh/zbcxeaujmmfo4xf/AADDmYE3XDL2uZdbG62Ihayfa?dl=0
-
What interfaces do you have in bridge0?
You have assigned the server as an interface but still have a pass all rule on the openvpn group interface so the server specific rules are not actually passing anything.
You have used the system alias 'OPENVPN_INTERFACE net' but you're using a TAP connection so the 'OPENVPN_INTERFACE' has no subnet. That alias is invalid there.
Steve
-
Thanks @stephenw10
What interfaces do you have in bridge0?
I provided all screenshots to my configurations. I am not too sure what to answer to this.You have assigned the server as an interface but still have a pass all rule on the openvpn group interface so the server specific rules are not actually passing anything.
I thought my * * rule was pretty open there. Maybe there is something I don't grasp from your remark
You have used the system alias 'OPENVPN_INTERFACE net' but you're using a TAP connection so the 'OPENVPN_INTERFACE' has no subnet. That alias is invalid there.
Sorry, I am not too sure where you mean TAP was setup. So here again I am confused.
Thanks for the help again. Maybe if you are interested and think you can help me, I am open for a paid support from you after you check my setup? you can private message me if this is interesting.
Thanks
-
You have not shown which interfaces are in the bridge interface though.
Interfaces > Assignments > BridgesIf you pass traffic on the global openvpn tab and not the assigned interface you do not get reply-to tagged to states opened on it.
You have setup the OpenVPN server, in the server config, as TAP (Later 2) mode. That means it is bridged to at least one local interface and does have an IP or subnet itself. Hence the system alias 'OPENVPN_INTERFACE net' is invalid.
Steve
-
@stephenw10
I just added these image to my folder ( https://www.dropbox.com/sh/zbcxeaujmmfo4xf/AADDmYE3XDL2uZdbG62Ihayfa?dl=0 )IMG_0486.JPG
IMG_0490.JPG
IMG_0489.JPG
IMG_0488.JPG
IMG_0487.JPGYou have assigned the server as an interface but still have a pass all rule on the openvpn group interface so the server specific rules are not actually passing anything.
You mean in my rules?! Sorry not clear to me what I should do here. :/
You have used the system alias 'OPENVPN_INTERFACE net' but you're using a TAP connection so the 'OPENVPN_INTERFACE' has no subnet. That alias is invalid there.
You mean in the OpenVPN > Servers I should change a configuration for the device mode?
Thanks again.
-
Ok great I see that. That looks OK for a TAP connection.
Using TAP is generally far more complex though. The only reason to do so is if you need the OpenVPN clients to be in the same subnet as the local resources. If you don't need that just use TUN mode.
You should be passing the incoming connections on the assigned openvpn server tab not the global openvpn tab.
So remove or diable the rules on OpenVPN. Add a pass all rule, using source any, on the 'OPENVPN_Interface' tab.Steve
