Troubleshooting OpenVPN?
-
@jims
Anyway, since you can connect to one server from the phone, it should as well get to the others from the point of routes.One of my questions is how to set up wireshark or other to sniff the traffic
In pfSense go to Diagnostic > Packet Capture.
Select to VPN interface and capture the traffic, while you try to access the hosts from the phone over the VPN.
You should see both here, the one you can reach and also packets to the others. If so change to the internal interface (e.g. LAN) and sniff the traffic again. -
@viragomann Much thanks for that suggestion - I wasn't familiar with the built in capture functions. I captured VPN port for both and also the LAN port for both. Restricted the capture to the IP of the local nodes to eliminate other traffic. I need to compare them but the LAN on the nonworking node is quite different and only consists of multiple lines of:
17:50:39.727926 ARP, Request who-has 192.168.1.210 tell 192.168.1.230, length 46230 is the proper address.
-
@jims 210 was a device that was taken off the network but the node was still trying to communicate with it. There is no LAN activity for the node that isn't working. I was thinking I could look at the files with notepad++ but it looks like I need to load wireshark.
-
@jims said in Troubleshooting OpenVPN?:
I captured VPN port for both and also the LAN port for both.
What does "for both" mean? As I understood your setup, you have a local pfSense connected to a OpenVPN server and some devices on LAN. From another VPN client you can reach one LAN device, but not others. Is it like that?
If so there is only one VPN and one LAN interface, where you can sniff the traffic.I need to compare them but the LAN on the nonworking node is quite different and only consists of multiple lines of:
17:50:39.727926 ARP, Request who-has 192.168.1.210 tell 192.168.1.230, length 46This is only some layer 2 traffic, one device requesting the MAC of another one.
You're looking for layer 3 traffic from the VPN client.
Use a rarely used port or ping for investigating. When using ping, disable gateway monitoring while testing on the VPN interface in case you have enabled it, to avoid the dpinger noise.
Then set the filters in the packet capture accordingly, in case of ping select only the ICMP protocol and run the capture, while you ping the local devices from the VPN client. -
@viragomann "Both" is attempted connection to a working and non-working device. (Both work when phone is connected directly to local network). So I had 4 captures:
WAN with working and nonworking node
LAN with working and nonworking nodeIn each case I tried to open a web page on a server on the device.
Loaded a ping app on the phone.
For the working connection I see ping request and response on both the VPN connection and LAN.
For the non-working connection I see only ping request and no response on both VPN and LAN.
I checked the gateway address on both PCs and they look good and are the same. I also checked that both machines respond to pings when the phone is on the local network - they do.
-
@jims
If the network settings are correct, maybe the device doesn't accept the access from outside of its subnet due to its own firewall.You can investigate this with the ping tool in the Diagnostic menu in pfSense.
Ping the concerned device with default source, then change the source to the OpenVPN client for instance. This has a source IP outside of the LAN. -
@viragomann When I try ping in the diagnostic tools it fails to both PCs. When I do it through the VPN from the phone it works for 1 PC. The IP is one different in the last number - i.e.
x.x.1.17 from through vpn
x.x.1.18 from pfsense
though I don't think that should make a difference.
I tried restarting the non-working pc thinking maybe the network settings got corrupted somehow from a pfsense restart but it hasn't changed things. -
@viragomann This seems to have started when I changed some settings in pfsense although I am not sure they are related. VPN would stop working when I had a WAN network outage (which is also the link for VPN). Restarting pfsense would restore operation.
Under System>Advanced>Miscellaneous I set State Killing on Gateway Failure to "Kill states for all gateways that are down" and checked "Do not create rules when gateway is down". After this the VPN link didn't die but I had the problem of not being able to access all the devices on the local network.
-
@jims
Do you have any custom outbound NAT rules? -
@viragomann Pretty sure I don't and haven't done anything like that. But I don't have access at the moment to check. Where would I check that?
-
@jims
Firewall > NAT > Outbound
By default it's set in automatic mode and does no natting on LAN interface.But as a suspect, your LAN device is blocking the access, you could also circumvent this with a NAT rule. But that would be a hack in fact.
-
@viragomann I was under the impression the VPN connection appeared like the device was on the local network but it seems that isn't true. The from IP in the packet is outside the network. What's strange is that this was working until recently and I haven't changed the setup on those devices that aren't connecting.
Can I make the VPN connection appear as a local IP? Is this a good and reasonable solution?
If not, how should I address this on the individual devices? It would be nice if I didn't have to adjust every one.
-
@jims said in Troubleshooting OpenVPN?:
Can I make the VPN connection appear as a local IP? Is this a good and reasonable solution?
This is not a good idea at all. It would need to run the OpenVPN client in tap mode, wich is not recommended and strictly not recommended as a solution to circumvent the devices firewall rules.
The suggested solution is to configure the device accordingly to allow access from the VPN tunnel pool, as already mentioned.
But if the VPN is for your own purposes you may circumvent this behavior also by natting the traffic to the pfSense LAN IP.
To do so go to the outbound NAT settings and activate the hybrid mode.
Then add a rule with this settings:
interface: LAN
source: <OpenVPN tunnel network>
destination: any
translation: interface address -
@viragomann Just guessing but the reason the one device allows traffic may be it is a very old version of Ubuntu and so has less restrictive firewall rules. Just a guess.
To make this work in a more recommended way how would I go about configuring the individual devices? The main one I have been wanting to use runs Ubuntu 18.04 IIRC. Also have a raspberry pi that I want to access. -
@jims
I'm not familiar with your devices firewalls and this is not the proper place to get support for it.But as mentioned above, if you're the only user in the VPN you can circumvent the blocking with a NAT rule on pfSense.
The only one drawback of this is that the LAN devices would only see the pfSense LAN IP as source when they are accessed from a VPN client. -
@viragomann I am the only user. Just don't want to make a security hole but from what you say that may not be the issue. I will do some more investigation on how I might do address it on the devices and figure out which way I want to go. Thank you so much for your help!
-
@viragomann It looks like it will be easy to add the VPN tunnel IP to be allowed by the device firewall. Is this a security issue? Will pfsense block that address on the WAN from accessing the LAN?
-
@jims
The traffic doesn't go through the WAN interface in a logical way. It is tunneled and come in on the OpenVPN interface in pfSense.
Also the traffic cannot pass through a LAN device by default. This would require special settings on the device. Since I assume, you control this device, you can be sure that they are not done.The whole security depends on the VPN authentication, regardless how you realize the access to the LAN devices. The server is under your control, you say, so use strong password and client certificates and you're safe.
On pfSense you can additionally configure, what the clients are allowed to access.