OpenVPN on PFSense

TravelMore

Hello, I am trying to setup OpenVPN on my PFsense box and need some help. I have followed a few guides listed below and then i went to test connecting from my cell phone (made sure it was on mobile data) and I cant connect.

I've specifically followed these guides below for setting up OpenVPN:
https://www.wundertech.net/how-to-set-up-openvpn-on-pfsense/
https://turbofuture.com/computers/How-to-Setup-a-Remote-Access-VPN-Using-pfSense-and-OpenVPN

I have a pihole that is my DNS.

In the open VPN server settings:
In tunnels settings, IPv4 Tunnel Network i just put the normal 1xx.1xx.0.200/24.
then for local put 1xx.1xx.100.0/24. (TBH i am not good at the whole subnet range things so i just tried to follow suite with what the guides shared. I think this part is setup correctly)

The issue when connecting from my phone is I realized the OpenVPN service doesn't start so then i start it and try again. Long story short I found this article (below) that helps a little.
The issue is when i changed the verbose setting to 11, nothing changed with that it would still give me the original error they showed at the beginning, no matter what number i changed the verbose setting to.

Guide on error:
https://forum.netgate.com/topic/164784/openvpn-service-won-t-start-error-1-mobile-clients-can-t-connect

I have not tried connecting from a PC on a different network so I am unsure if this issue is just tied to mobile or if its an issue all around.

Side note, i don't know if this matters or not BUT I recall this was recommended to me by a friend if i ever decide to setup a VPN in PFsense: turn on AES-NI CPU Crypto: Yes (inactive)
I don't know where that setting is or honestly what it does.

Any help is appreciated.

viragomann

@travelmore said in OpenVPN on PFSense:

In tunnels settings, IPv4 Tunnel Network i just put the normal 1xx.1xx.0.200/24.

Looks like a public address range. You should rather use a private network for the tunnel.

nothing changed with that it would still give me the original error they showed at the beginning

Where?

Not clear, what's the issue.
If the server goes down or even doesn't start there should be some hints in the OpenVPN or system log.

Side note, i don't know if this matters or not BUT I recall this was recommended to me by a friend if i ever decide to setup a VPN in PFsense: turn on AES-NI CPU Crypto: Yes (inactive)
I don't know where that setting is or honestly what it does.

You can enable it in System > Advanced > Miscellaneous, but should be enabled by default and as far as I know, OpenVPN uses it anyway if it's supported by the hardware.

Jarhead

@travelmore said in OpenVPN on PFSense:

In the open VPN server settings:
In tunnels settings, IPv4 Tunnel Network i just put the normal 1xx.1xx.0.200/24.
then for local put 1xx.1xx.100.0/24. (TBH i am not good at the whole subnet range things so i just tried to follow suite with what the guides shared. I think this part is setup correctly)

I'm guessing that's 192.168.0.200/24, is that what you mean?
There's no reason the 'x' that out as it's a private address.
And no, it's not set up correctly. That's not a valid network address.
The other I'm guessing is 192.168.100.0/24? Valid but is that your actual LAN address?

Post images of the OpenVPN config.

TravelMore

@viragomann Thank you for replying. I appreciate your help. Hopefully, these answers help.

I did change the IPV4 Tunnel Network from 192.1xx.x.xx to 10.0.0.0/24
and i redownloaded the config file (because i would assume you would need a new confige file if you are making these types of changes).

Here is a pic of the client export utility.

Here is a pic of the tunnel settings. As mentioned above the change i made is reflected in the pic below. From what I recall the IPv4 is supposed to be your local network. That is what i think mine would fall under as everything is on a 192.168.0.x ip.

TravelMore

@jarhead Thank you. Pics posted in my last post. if you need more let me know. I am never sure what IP addresses to blur out or not. I've been informed its not the best to put your IPs online.
PFsense shows my LAN is a 192.168.0.x IP so i'd assume the 192.168.0.100 is valid for the tunnel settings for IPV4local network.

Jarhead

@travelmore The hostname in the client config needs to be your WAN address.

Your local address would be 192.168.0.0/24, not 192.168.0.100/24.

Google rfc1918. Those addresses never need to be redacted.

viragomann

@travelmore
That makes no sense at all.

Your LAN is 192.168.0.0/24.

You configured your client to connect to 192.168.0.x. So to a LAN IP.
But you mentioned you tried to connect from your phone from the internet.

BTW: the LAN network and the tunnel must not overlap.

TravelMore

@jarhead Thank you. I appreciate it. I am not too familar w/networking and subnets etc., I am learning as I go. I will make these changes and let you know what I see.

TravelMore

@viragomann Thank you for the info! It is appreciated.

TravelMore

I have made the following changes:

I am assuming I need to do a new config file to my phone when I make these setting changes, right?

tried connecting now with a new config file. It still seems to be doing the same thing.

Jarhead

@travelmore Did you change the hostname in the client export?

viragomann

@travelmore said in OpenVPN on PFSense:

I am assuming I need to do a new config file to my phone when I make these setting changes, right?

Yes, the client has to connect to the public address if from outside.
You have to state this into the "Host Name" box in the client export utility.

You can as well edit the clients config if possible and replace the IP in the remote line.

However, is your pfSense WAN IP a public one? Or is there a router in front of it?

Is your public IP static?

Is pfSense the default gateway in your network?

TravelMore

@jarhead No i did not that is set to other

The options i have in the drop-down for that host name resolution is:
Interface IP Address
Automagic multi-wan IPs
Automagic multi-wan DDNS
Installation hostname

TravelMore

@viragomann The host name box in client export utility is set to other (post above i believe shows this info and pic).

As far as editing the config file, the IP that is in the remote line is the IP for my pihole.

My WAN IP on my pf sense is a 72.x.x.x IP. I do not know if this IP actually ever changes. I just know its always a 72.x IP.

My LAN is a 192.x.x.x it is a static ip.

I did check and see the OpenVPN service is running now which is an improvement from previously.

I believe i have everything going to my pihole, as PF Sense shows DNS server is 1st IP my pihole, 2nd is cloudflare IP. In cmd prompt default gateway shows the IP of my Pfsense box.
So to answer your question about 'is pfsense the default gateway in your network...i think yes is the answer. sry, still learning how all these interact.

viragomann

@travelmore said in OpenVPN on PFSense:

My WAN IP on my pf sense is a 72.x.x.x IP. I do not know if this IP actually ever changes. I just know its always a 72.x IP.

So you should have your server set to listen on this WAN IP.
Then in the Client export utility set the "Host Name Resolution" to "interface address". So it put the public IP automatically into the remote line.

However, you have to make the change on the client. So either you can edit the config there or export a new config from pfSense and import it on the client.

TravelMore

@viragomann Thank you for your help. I appreciate it.
Okay, before i make those changes, I just noticed something that I don't know will change your answer above. The pic below. the gateway WAN is a 72.241.xxx.1 and the WAN in the interface is a 72.241.xxx.x <--this is the IP idk if it ever changes. I would assume the WAN gateway never changes but when i do a cmd prompt i show the default gateway as my pfsense IP as a 192.x.x.x

So what I am unsure of is, when you say, So you should have your server set to listen on this WAN IP.......where specifically do i put this WAN IP?
(in tunnel settings ipv4, ipv4 local network or client export host name)

viragomann

@travelmore said in OpenVPN on PFSense:

I would assume the WAN gateway never changes

You WAN IP is given by a DHCP server. It might change, but not necessarily. It's on your ISP.

If it should ever, you can subscript to a dynDNS service and use the host name for connecting.

but when i do a cmd prompt i show the default gateway as my pfsense IP as a 192.x.x.x

On a LAN device, I guess. This should show the pfSense LAN IP as gateway.

< So what I am unsure of is, when you say, So you should have your server set to listen on this WAN IP.......where specifically do i put this WAN IP?

In the server settings at interface. pfSense should provide a drop-down, from where you can select your WAN DHCP IP.

Jarhead

@travelmore In the Client export, change Host Name Resolution to Interface IP address, then export a new client config and use it on your client.

TravelMore

@viragomann This is what is already set in Server setting. I didn't make any change to it just looked and saw that was set.

These are the tunnel settings ips currently, I believe these are correct. Please verify.

This is the client export host name ip

I have just now done as @Jarhead stated and changing the hostname res. to interface IP address (below) and exporting a new client config.

I will let you guys know if i can connect.

Jarhead

@travelmore said in OpenVPN on PFSense:

I will let you guys know if i can connect.

I think we both know you will now.