Trouble passing traffic to OpenVPN server on digitalocean

shadow_saunter

I'm trying to set up an interface as a client to my cloud hosted OpenVPN server on DigitalOcean, but I'm having trouble passing traffic, and I'm not sure what's going wrong. It was built using their tutorial here, and I use it to network a bunch of my devices and servers on DO and around the house.

I went through, and set the pfsense OpenVPN settings as close as I could to the settings in my .ovpn and it must be close because when I enable the interface I get an "Initialization Sequence Completed" in the logs, and Status > OpenVPN > Client Instance Statistics appears to be connected to my remote host IP with a green check, but only 16 KiB sent and Received. It acquires an address, but I can't ping it from another device on that network.

Would someone please help diagnose and correct this?

This is the content of my .ovpn:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3
key-direction 1

viragomann

@shadow_saunter
Some more details would be helpful.

The client is your home pfSense, I guess?
What OS is the server running on?

Are you already using the VPN successfully with other clients?

Can you ping the servers virtual IP, LAN IP?
Can you ping other devices on the server side?

Are there firewall rules on both sites to allow access?

Does the client log show that the routes are added properly?

shadow_saunter

@viragomann said in Trouble passing traffic to OpenVPN server on digitalocean:

@shadow_saunter
Some more details would be helpful.

The client is your home pfSense, I guess?
What OS is the server running on?

Are you already using the VPN successfully with other clients?

Can you ping the servers virtual IP, LAN IP?
Can you ping other devices on the server side?

Are there firewall rules on both sites to allow access?

Does the client log show that the routes are added properly?

1. The client is your home pfSense, I guess?
   What OS is the server running on?

Yes, this my homelab and this is a learning project. Its a bare metal install on a protectli device, (my next will be netgate) so its running on BSD. I'm not a professional, just a tech guy that wants to secure my home network and have fun with VLANS and stuff.

2. Are you already using the VPN successfully with other clients?

Yes, the VPN has been running for a few years. i tore it down and re rolled it in debian 11 a few weeks ago, it runs with no issues. I generate a fresh client config for each connection, and the .ovpn for this is client7.

3. Does the client log show that the routes are added properly?

Yes, the client log would be in pfsense, and i see an "initialization sequence complete", and the interface negotiated an IP on the vpn, 10.8.0.34 on a /24

4. Can you ping the servers virtual IP, LAN IP?
   Can you ping other devices on the server side?
   Are there firewall rules on both sites to allow access?

• this is where i'm at a loss, 10.8.0.1 doesn't answer when i try ping from pfsense

• pfsense doesnt answer when i ping 10.8.0.34 from my phone on the vpn (other devices do)
  -The interface is named PRIVATE_VPN

• the only rule i have made so far is <screenshot coming>:
  Source: PRIVATE_VPN
  Port: *
  Dest: *
  Dest Port: *

  I also wrote a rule each blocking all from my LAN interface and all trafffic from my IOT VLAN.

What do you mean by both sites? I use 1194/UDP, and i allow that on the VPN server using an iptables rule set that loads at boot.

Do i need a rule on the pfsense WAN?

What does the fact that it negotiated an address tell me? I think it means that it reached my VPN server on 1194, and the server used 67 or 68 for DHCP and was successful.

viragomann

@shadow_saunter said in Trouble passing traffic to OpenVPN server on digitalocean:

Does the client log show that the routes are added properly?

Yes, the client log would be in pfsense, and i see an "initialization sequence complete", and the interface negotiated an IP on the vpn, 10.8.0.34 on a /24

"Sequence complete" does not necessarily mean that the routes are added properly. It's more interesting, what's to see above of this line.
Maybe you could post the log.
But since your interface is showing an IP, at least the tunnel subnet will be assigned correctly and you should be able to ping the server IP if it is allowed.

Can you ping the servers virtual IP, LAN IP?
Can you ping other devices on the server side?
Are there firewall rules on both sites to allow access?

this is where i'm at a loss, 10.8.0.1 doesn't answer when i try ping from pfsense

Can you ping it from another VPN connected device?

pfsense doesnt answer when i ping 10.8.0.34 from my phone on the vpn (other devices do)

That's not a good indicator for the a working VPN.
This would require that the client-to-client communication is enabled on the server, which isn't by default. Also it requires that the access on the source device is permitted.

For testing you can try to ping pfSense from the server, while you run a packets capture on pfSense on OpenVPN to see if packets are transmitted.

the only rule i have made so far is <screenshot coming>:
Source: PRIVATE_VPN
Port: *
Dest: *
Dest Port: *

Consider that this rule only allows access from inside the VPN tunnel network.

What do you mean by both sites? I use 1194/UDP, and i allow that on the VPN server using an iptables rule set that loads at boot.

I can imagine that the server also needs a rule on the OpenVPN interface to allow access.
But if other devices are able to access the server and other remote devices it should also work from pfSense itself.

Do i need a rule on the pfsense WAN?

No.

What does the fact that it negotiated an address tell me? I think it means that it reached my VPN server on 1194, and the server used 67 or 68 for DHCP and was successful.

Yes you reach the VPN server, but there is no DHCP protocol on OpenVPN. So it doesn't indicate that IP is working.