Troubleshooting OpenVPN?

viragomann · Feb 15, 2023, 1:34 PM

@jims
Do you have any custom outbound NAT rules?

JimS · Feb 15, 2023, 3:37 PM

@viragomann Pretty sure I don't and haven't done anything like that. But I don't have access at the moment to check. Where would I check that?

viragomann · Feb 15, 2023, 3:52 PM

@jims
Firewall > NAT > Outbound
By default it's set in automatic mode and does no natting on LAN interface.

But as a suspect, your LAN device is blocking the access, you could also circumvent this with a NAT rule. But that would be a hack in fact.

JimS · Feb 15, 2023, 4:22 PM

@viragomann I was under the impression the VPN connection appeared like the device was on the local network but it seems that isn't true. The from IP in the packet is outside the network. What's strange is that this was working until recently and I haven't changed the setup on those devices that aren't connecting.

Can I make the VPN connection appear as a local IP? Is this a good and reasonable solution?

If not, how should I address this on the individual devices? It would be nice if I didn't have to adjust every one.

viragomann · Feb 15, 2023, 4:33 PM

@jims said in Troubleshooting OpenVPN?:

Can I make the VPN connection appear as a local IP? Is this a good and reasonable solution?

This is not a good idea at all. It would need to run the OpenVPN client in tap mode, wich is not recommended and strictly not recommended as a solution to circumvent the devices firewall rules.

The suggested solution is to configure the device accordingly to allow access from the VPN tunnel pool, as already mentioned.

But if the VPN is for your own purposes you may circumvent this behavior also by natting the traffic to the pfSense LAN IP.

To do so go to the outbound NAT settings and activate the hybrid mode.
Then add a rule with this settings:
interface: LAN
source: <OpenVPN tunnel network>
destination: any
translation: interface address

JimS · Feb 15, 2023, 4:51 PM

@viragomann Just guessing but the reason the one device allows traffic may be it is a very old version of Ubuntu and so has less restrictive firewall rules. Just a guess.
To make this work in a more recommended way how would I go about configuring the individual devices? The main one I have been wanting to use runs Ubuntu 18.04 IIRC. Also have a raspberry pi that I want to access.

viragomann · Feb 15, 2023, 5:09 PM

@jims
I'm not familiar with your devices firewalls and this is not the proper place to get support for it.

But as mentioned above, if you're the only user in the VPN you can circumvent the blocking with a NAT rule on pfSense.
The only one drawback of this is that the LAN devices would only see the pfSense LAN IP as source when they are accessed from a VPN client.

JimS · Feb 15, 2023, 5:47 PM

@viragomann I am the only user. Just don't want to make a security hole but from what you say that may not be the issue. I will do some more investigation on how I might do address it on the devices and figure out which way I want to go. Thank you so much for your help!

JimS · Feb 15, 2023, 6:43 PM

@viragomann It looks like it will be easy to add the VPN tunnel IP to be allowed by the device firewall. Is this a security issue? Will pfsense block that address on the WAN from accessing the LAN?

viragomann · Feb 15, 2023, 8:10 PM

@jims
The traffic doesn't go through the WAN interface in a logical way. It is tunneled and come in on the OpenVPN interface in pfSense.
Also the traffic cannot pass through a LAN device by default. This would require special settings on the device. Since I assume, you control this device, you can be sure that they are not done.

The whole security depends on the VPN authentication, regardless how you realize the access to the LAN devices. The server is under your control, you say, so use strong password and client certificates and you're safe.
On pfSense you can additionally configure, what the clients are allowed to access.