Simple VPN Server

jimp

@cool_corona said in Simple VPN Server:

Wouldnt you need to be on the same network and GW to do that?
You cant do it in the wild...on somebody elses internet connection.

The entire purpose of a VPN (and other encrypted protocols) is to protect against someone else being able to decode traffic intercepted between you and a peer.

You have no idea if you can trust every single hop between you and your VPN peer(s). Once the traffic leaves your premises any link and router is untrustable from a security standpoint. Routers could be hacked, redirected or inspected by state actors, data mined, etc. Good luck telling anyone that owns those links or hacks them "you can't do that".

If you aren't worried about someone intercepting your traffic then go back to using HTTP and telnet.

viragomann

@bert-0
The issue is here the access from a remote client to the firewall. A tracert from inside your LAN is no proof that packets can reach your WAN interface from the internet.

Bert 0

@viragomann But, that's why I set up the client on two machines: One in the cloud for internet access and one from my local network to test without internet. Tracert on the cloud machine fails but I assumed that that was because the provider was dropping most ICMP traffic.

Bert

viragomann

@bert-0 said in Simple VPN Server:

But, that's why I set up the client on two machines: One in the cloud for internet access and one from my local network to test without internet. Tracert on the cloud machine fails but I assumed that that was because the provider was dropping most ICMP traffic.

Much effort for someone who want's to set up a simple VPN server.
The access from an internal network might not have been respected by the wizard.

If you're unsure that your cloud client is allowed to go out on the stated port, simply use a port checker in the internet, enter your WAN IP and OpenVPN port and trigger a check, while you sniff the traffic on your WAN.
If your VPN server is configured for UDP protocol ignore the result of the port checker, since it might only send TCP packets.

stephenw10

That's the error you get when the client can't reach the server at all so it just times out. Or the server can not reply.

Where are you testing from? How the client trying to connect? By IP address or FQDN?
When you use the client export utility it uses the interface address the server is running on by default. That means if the pfSense WAN is using a private IP right now the imported client config will only be able to connect from something that can access it.

Steve

Bert 0

@viragomann Yeah, it is far more effort than I expected and it still isn't working. I did a port check and it said that 1194 is closed. I double checked the OpenVPN server to make sure that it was using the default port and it is.

Bert

Bert 0

@stephenw10 Now my comments are being flagged as spam...

Bert 0

Well, I guess if you poke something often enough, it will respond. VPN up and operating across the internet :-)

Bert

stephenw10

OpenVPN is UDP by default so port tests against it will fail.

I upvoted enough of you posts to get your 'rep' above 5. You should avoid the spam filter now.

Anyway, glad you're up and running.