OpenVPN doesn't work without Any/Any rule
I'm currently testing using pfsense as an openvpn server.. it works great (awesome in fact) as long as I have an any/any rule on the openvpn interface.
For obvious reasons I cannot leave that rule in place.. I need some help to create a rule that will work in it's place.. attached is a screenshot of my rules
OpenVPN uses per default UDP and not TCP.
I changed mine to use TCP.. should I try it with UDP?
No luck with UDP either.. is this because I have a multi wan setup?
Well, are you trying to connect to the OPT?
Can you please give the complete information to your setup and what you're trying to do?
OpenVPN server is configured to accept connections on TCP port 1194.
I would like clients to connect (from home, hotels, etc) to openvpn on the opt1 interface which is a public IP.
It is working wonderfully aside from the fact that I need to have a rule that allows all traffic to the opt1 interface address.. I would love to be able to lock this rule down but whenever I try and restrict the source then the openvpn client will not connect!
what do other people's openvpn rules look like?
If you want to connect to the OPT1 you need to add the line "local IP_of_OPT" to the "custom option" of the OpenVPN server
opt1 is a wan interface.. i doubt everyone who runs openvpn has to have an any/any rule on their wan interface???
No you dont need/want an any-any rule.
You only need a single rule, allowing access to the OpenVPN server.
But you also need this line in the custom config that you can connect to the server.
I assume, since you could access the server with the any-any rule, that you essentially connected to the primary WAN over the OPT.
Thats the only way i can think of that it worked.
Otherwise you should not have been able to connect at all.
I dont think i'll have time to try anything today.. but i'll give that a shot over the weekend!