OpenVPN behind CGNAT with VPS for remote access

JimS · Apr 14, 2022, 2:05 AM

Trying to set up pfsense with openvpn using an Oracle VPS with openvpn server. Want to be able to access my local network (have several simple web servers) from my phone. Have my phone connecting to the server and pfsense connecting to the server. But I am lost from there setting up rules, routes, etc. I want all LAN originated traffic to use the pfsense WAN port. Only use VPN for remote access to LAN. Limited networking knowledge so need a detailed step by step.

bmeeks · Apr 14, 2022, 3:30 AM

If you truly have CGNAT, then you can't do this -- at least not in the conventional way with an OpenVPN server instance listening on your WAN. With CGNAT, there is no way for something out on the public Internet to "find" your WAN IP address given by your ISP. It would require a port forward be set up by your ISP that sends traffic on a specific port to your NAT IP on your WAN, but they don't do that (set up port forwards).

This is the evil of CGNAT. You cannot access your firewall externally. The only way is for your firewall to initiate an outbound connection itself. So that would mean you have to use a service where a client on your firewall maintains an "always on and open" connection to an external web site, then when you want to connect you actually connect through that external site. These services require you to pay a subscription fee usually.

Bob.Dig · Apr 14, 2022, 7:25 AM

@bmeeks Unless your phone has IPv6 too, which is a given around my place.

JimS · Apr 14, 2022, 11:16 AM

@bmeeks The firewall initiating an outbound connection is exactly what I am doing and numerous sites indicate this is possible and quite doable without IPv6 (which my ISP doesn't support). I have set up an external site with Oracle which is free as long as I don't go beyond certain limits which I don't think I will be doing. As I indicated I am able to connect to the external site from my pfsense firewall and also from my phone when off the local network. But I am stuck at setting up routing or rules to direct the traffic.

Jump server

Free Oracle server

bmeeks · Apr 14, 2022, 12:25 PM

@bob-dig said in OpenVPN behind CGNAT with VPS for remote access:

@bmeeks Unless your phone has IPv6 too, which is a given around my place.

Not so much a given in the U.S., unfortunately. It is becoming more common, though. I'm stuck behind CGNAT with no IPv6, and because of the CGNAT, tunnel brokers like Hurricane Electric don't work either.

bmeeks · Apr 14, 2022, 12:29 PM

@jims said in OpenVPN behind CGNAT with VPS for remote access:

@bmeeks The firewall initiating an outbound connection is exactly what I am doing and numerous sites indicate this is possible and quite doable without IPv6 (which my ISP doesn't support). I have set up an external site with Oracle which is free as long as I don't go beyond certain limits which I don't think I will be doing. As I indicated I am able to connect to the external site from my pfsense firewall and also from my phone when off the local network. But I am stuck at setting up routing or rules to direct the traffic.

Jump server

Free Oracle server

I must have misread your initial post. I thought you wanted to use the more typical setup where you register your public IP via a dynamic DNS vendor and use a VPN client on your remote device to connect directly to an OpenVPN server instance on your firewall.

I would assume firewall client-based setups are highly client specific. Meaning each vendor of such services likely has a different requirement. I've never used that setup. I had the old conventional setup until my ISP switched over to CGNAT about 8 or 9 months ago.

viragomann · Apr 14, 2022, 1:09 PM

@jims said in OpenVPN behind CGNAT with VPS for remote access:

Trying to set up pfsense with openvpn using an Oracle VPS with openvpn server.

Is there pfSense running on the VPS as well?

JimS · Apr 14, 2022, 3:27 PM

@viragomann VPS is not running pfsense. Just running an openvpn server.

viragomann · Apr 14, 2022, 4:32 PM

@jims
So you have to set up a site-to-site connection between your home pfSense and the VPS.
As I understood, you try to do both connection, to your home and from your phone with a single OpenVPN server instance, right?

To you also want to access the web servers from public IPs or from your phone using the VPN only?

JimS · Apr 14, 2022, 5:37 PM

@viragomann I have openvpn app on my phone that can connect to the server. Need access from my phone and my wifes phone. And possibly other openvpn clients but those two phones mainly. I have exported the ovpn files for these users and phones and phsense show they connect to the server. But I have been unable to pass any traffic over the connections. So I think some config/settings within the server is the remaining piece.

viragomann · Apr 14, 2022, 5:45 PM

@jims said in OpenVPN behind CGNAT with VPS for remote access:

I have exported the ovpn files for these users and phones and phsense show they connect to the server.

pfSense? You mentioned you're running only one pfSense at your home, which is behind a CGN. So you should not be able to connect directly to pfSense at all.

JimS · Apr 14, 2022, 5:49 PM

@viragomann pfsense has an openvpn client package. I loaded it. It works to connect to the server after I loaded the client ovpn file from the server.

JimS · Apr 14, 2022, 5:53 PM

@jims Some additional setup is needed to get the remote access I am trying to accomplish. That's where I need some help. I have searched and read lots on that but am a bit lost in all of it.

viragomann · Apr 14, 2022, 6:04 PM

@jims
Since the server is not pfSense you might get better support in the OpenVPN forum.

At any rate you have to configure a client specific override on the server for the connection to pfSense, where you have to state the iroute command with your home LAN to set the proper routes on the server.
Search the web how to do this.

On your home pfSense assign an interface to the OpenVPN client instance and enable it (no IP settings!). So you get an firewall rule tab for this interface where you have to allow incoming traffic. Also ensure that there is no pass rule on the OpenVPN tab!
Instead of this you can also set a masquerading rule on the server for traffic going to your home.

JimS · Apr 14, 2022, 6:23 PM

@viragomann Thanks! I understand the server settings are not related to pfsense and have asked for help with that on openvpn forum. Some things that are pfsense issues/settings - When I have vpn connected my pc on lan port does not connect to internet on wan port. With vpn connection disabled the connection from lan to wan works. I need to set up so all lan originating traffic is passed to wan and at the same time pass incoming vpn traffic to multiple addresses on the lan.

viragomann · May 1, 2022, 1:42 AM

@jims
Possibly the traffic is directed to the VPN server?
This could be the case, if the server is pushing the default route, which might not be desired on the phone as well anyway. So you should disable this on the server.

In client settings you can avoid that it changes the routes by checking "Don't pull routes".

JimS · May 1, 2022, 1:42 AM

@viragomann I tried selecting "dont pull routes" on client. still no joy. I did get the openvpn working so I can access my local machines when I am not on the local network but can't get from lan to wan. there is a rule to pass traffic but for some reason the logs show the traffic is blocked.