OpenVPN server *behind* pfSense firewall - cannot reach Internet
-
Greetings all.
I have just installed the latest pfSense firewall (2.6.0-release) onto a VM in my home network, and it is working 99.999% perfectly - the installation has been essentially turnkey, with one frustrating exception I've not been able to solve.
I host an OpenVPN server box (in my private network), NOT the OpenVPN within pfSense) that a friend of mine connects to remotely. I had configured my prior firewall in that setup such that his connection worked perfectly for years. I (thought I'd) simply copied the forwarding and NAT rules from that firewall setup to pfSense, but I'm still missing something.
When he connects to his box via SSH (no OpenVPN component yet), he can connect with no problem. Everything works as expected. But after he initiates the OpenVPN connection, he's assigned a 10.8.xxx address back from his OpenVPN box, he cannot route anywhere. He cannot get out of the OpenVPN assigned network. I see no conspicuous rejections from the firewall logs.
I have to assume there is an additional, more restrictive/protective rule kicking in within the pfSense firewall that I'm simply not recongizing. My initial, likely naive thought is that if the OpenVPN server has given him an address and created his tunnel, my pfSense box necessarily can't see anything going on inside that tunnel, so it wouldn't be able to affect it. Obviously that inference is incorrect.
If someone could give me a push in the right direction, I;d be most appreciative. Bottom line: Conventional connection via SSH to his box works, and he has Internet connectivity. One he gets an OpenVPN IP/network defined, Internet connectivity is gone. I"m just not sure where to look within pfSense for the rule(s) that are blocking it.
Thanks,
-David -
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
I"m just not sure where to look within pfSense for the rule(s) that are blocking i
Who says there is anything blocking it... If remote client connects a vpn server, unless you tell the client to use that vpn for all connections, ie internet - it would just use the vpn to get to IPs that the vpn says to route too..
This set in the openvpn server as "Redirect IPv4 Gateway" or could be set on the client, etc. But if this is not set then the remote client would only send traffic down the vpn that has a route for.
Simple test you could do is from the remote vpn client do a traceroute to say 8.8.8.8 do you see it go down the tunnel?
-
I infer pfSense is blocking it because this exact same setup (remote client and backend server on my home network) was working perfectly before the firewall change. Literally the only variable is the firewall. Same network, same subnets, etc. If the configuration problem exists on the client or server, it would have been a problem before, but it wasn't.
I am making a further inference that there is an additional default firewall or NAT rule that is in place that I'm just not recognizing. I can't access the VPN box or his client, so there aren't any OpenVPN settings I can change that would be of relevance.
Just to reiterate, this is not the OpenVPN component of pfSense, but a separate OpenVPN server hosted behind pfSense on my network.
I hope that clears up any possible confusion. I appreciate the input.
-
@soonerdave Well the openvpn box was not natting the tunnel network then pfsense would not allow that traffic, but you would see that in the default deny log..
-
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
I host an OpenVPN server box (in my private network), NOT the OpenVPN within pfSense) that a friend of mine connects to remotely.
Such a set up needs either
- a segregated transit network between the VPN box and pfSense
- a masquerading rule on the VPN box or
- a static route on any of your local devices, he should be able to access.
Did you configure either of these?
In your case, I think, masquerading on the box would be best / easiest solution, as there is obviously only one client connecting to the VPN.
For internet access over the VPN, you need also an outbound NAT rule on pfSense for the VPN tunnel network if you don't masquerade the traffic on the box.
-
@viragomann said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
I host an OpenVPN server box (in my private network), NOT the OpenVPN within pfSense) that a friend of mine connects to remotely.
Such a set up needs either
- a segregated transit network between the VPN box and pfSense
- a masquerading rule on the VPN box or
- a static route on any of your local devices, he should be able to access.
Did you configure either of these?
In your case, I think, masquerading on the box would be best / easiest solution, as there is obviously only one client connecting to the VPN.
For internet access over the VPN, you need also an outbound NAT rule on pfSense for the VPN tunnel network if you don't masquerade the traffic on the box.
The masquerading rule rings a bell as something I had to do in the last time I had to make some changes to this setup eons ago. Obviously this isnt something I do every day.
Let me try to retrieve some notes on this and see if that helps me track down what I've done wrong. Thanks.
-
I found the firewall script I had running on the old system where this setup was working (and had been for some time). It definitely has some custom masquerade rules, so I've just got to figure out the right way to covert them into PFsense.
Will advise.
-
@soonerdave
The masquerading should be done on the VPN box.
This means, it translates the source IP in packets, which are going into your network, into its local IP. -
@viragomann Right or wrong, that's not how it was done before. It was done in my firewall.
-
@soonerdave
I‘ve no idea, how you can solve this only on the router. I mentioned the options I know above.
But if you have it come back and let us know, please. -
@viragomann Oh, believe me, I feel totally stupid for not having done a more comprehensive job of documenting the previous, working firewall setup. I documented only the ports I forwarded, but not the masquerade rules. Totally dummy on me.
-
@viragomann SOLVED!! And props to you for nailing the problem.
My cohort who actually uses the box messaged me this morning and told me he had to fix the NAT on his box with the new IP it had been assigned. I have never set up an OpenVPN device for my own purposes, so I wasn't aware there was local NATting going on. I just made sure the firewall was opened up as needed, which is why I assumed I'd done something wrong on my side when I moved the setup to pfSense. Had I preserved his IP none of this would have happened. I've learned something new, and that's a good thing.
Problem completely solved and THANKS to everyone here who took the time to reply and help!!
-
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
told me he had to fix the NAT on his box with the new IP it had been assigned.
You wrote above, that nothing was changed in your notwork except the new firewall. If the box has a NAT masquerading rule, it will have an IP stated for this, since it might not have a variable for the interface IP like pfSense does.
You should have mentioned that you have created a new subnet. -
@viragomann I didn't create a new subnet. His box was assigned a new IP from the same subnet that was recreated in my new server setup. If I had maintained the same IP on the new server, I have a sneaking suspicion we'd have had no problem at all.
-
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
His box was assigned a new IP from the same subnet that was recreated in my new server setup
From DHCP?
If so you should set a static mapping for his MAC. -
@viragomann That was one of the first things I did when I rebuilt the network (static assignment). It wasnt DHCP, I just assigned it from a new block of addresses I'd reserved for a few devices. It just didn't remotely occur to me there would be dependencies on that IP within that client box. That just goes back to my lack of familiarity with the internals of the OpenVPN server box he is using. Hey, at least I learned something.....
