Problem configuration OpenVPN

kilian77 · Apr 26, 2023, 2:54 PM

Context: professional environment, beginner level, NETGATE 1100 version Netagate 22.05-RELEASE.

Need: OpenVPN problem

Plan :

WAN (modem/router/box): Netgate WAN port: 192.168.1.2/24

LAN: Netgate LAN port: 192.168.1.52/24

DMZ: no

WIFI: internal use, no configuration

Other interfaces: no

NAT rules: none

Firewall rules: none

Added packages: OpenVPN package

Other functions attributed to the pfSense: none

Question: I tried lots of different manipulations to use OpenVPN with Netgate but unfortunately I always have the same error that appears

Imagined tracks

Searches: different ip addresses tried but still the same problem

Logs and tests: always the same message even in the logs
Thanks for your help

viragomann · Apr 26, 2023, 3:39 PM

@kilian77 said in Problem configuration OpenVPN:

WAN (modem/router/box): Netgate WAN port: 192.168.1.2/24

I assume, you have an ISP router in front of pfSense and you're trying to connect from outside.

So does your router get a public IP?

If so you have to forward OpenVPN packets (UDP 1194) to pfSense on your router.
Then change the remote address in the clients config file to your public IP.

kilian77 · Apr 27, 2023, 2:30 PM

I still have the same problem, I reset my configuration and modified my addresses.
For the WAN I put 10.0.0.1, the LAN: 192.168.1.2 and the tunnel 192.168.254.0/24 but I still have the same error despite all the open rules even from my router.
I've been really stuck for a while and I don't understand.
to start over at 0 I followed this tutorial : https://neptunet.fr/openvpn-pfsense/

Here are my logs :

viragomann · Apr 27, 2023, 4:45 PM

@kilian77
So your OpenVPN server is listening on the WAN, but your client tries to connect to the LAN address.

If you want to do it this way, add a NAT port forwarding rule to the Lan interface for the Lan address, UDP 1194.

kilian77 · Apr 28, 2023, 7:17 AM

@viragomann
unfortunately that's what I already did

viragomann · Apr 28, 2023, 10:27 AM

@kilian77
Hard to say if this is a proper NAT rule. If you want to hide things you should replace them with place holders to keep it readable.

Anyway, OPENVPN is the wrong interface to do this.

kilian77 · May 2, 2023, 7:32 AM

@viragomann what I sent is the nat rule of my wifi modem, I open port 1194 from the outside which comes to type on the LAN port in 192.168.1.2 and I do not understand why I always have the error of my client who says "UDP link local (not bound)

kilian77 · May 2, 2023, 7:32 AM

@kilian77 Has anyone had this error and solved it please?

Gertjan · May 2, 2023, 8:43 AM

@kilian77 said in Problem configuration OpenVPN:

Has anyone had this error and solved it please?

Take a look here : Configuring OpenVPN Remote Access in pfSense Software : follow it step by step and you have a working solution.

You use an upstream 'ISP' router.
Its needs to have port "UDP 1194" to be NATted to the WAN IP of pfSense.

You can easily check if traffic reaches your pfSense WAN 1194 UDP port :

You see the state and traffic counter in front of the rule ?
If these go up, then you upstream ISP NAT rule works fine.
If they stay zero, then traffic never reaches pfSense.

kilian77 · May 3, 2023, 8:03 AM

This post is deleted!

kilian77 · May 3, 2023, 8:06 AM

@gertjan, first of all thank you for your answer, I re-watched the tutorial you sent me and indeed I did exactly like him by adapting my ip addresses.
WAN=192.168.50.1
LAN=192.168.1.2
VPN TUNNEL = 192.168.80.0
I also NATed the firewall and the traffic goes well but I still have the same error for 2 weeks.
If you need other information to help me do not hesitate I am active. Thanks in advance

NAT FIREWALL :

WAN FIREWALL :

OPENVPN SERVERS :

Gertjan · May 3, 2023, 8:16 AM

@kilian77 said in Problem configuration OpenVPN:

I also NATed the firewall and the

?
You need a NAT rule for the router that is in front of pfSense (if applicable).
pfSense (see video again) does not need/have a NAT rule.
It only needs a firewall rule on the WAN interface, that permits the UDP port 1194 traffic in.
See the image above.

While testing your VPN connection : do not use the local LAN (or Wifi) connection : use your phone with 4G/5G =data carrier, and use the your - real - WAN IP.

172 bytes ?
I tend to so : no traffic arrives at the pfSense WAN gate.

kilian77 · May 3, 2023, 8:28 AM

@gertjan the problem with my router is that I can only NAT IPs from the 192.168.1.0 network which means that my WAN in 192.168.50.1 I cannot

Gertjan · May 3, 2023, 8:41 AM

@kilian77 said in Problem configuration OpenVPN:

my WAN in 192.168.50.1

@kilian77 said in Problem configuration OpenVPN:

Netgate WAN port: 192.168.1.2/24

@kilian77 said in Problem configuration OpenVPN:

WAN=192.168.50.1
LAN=192.168.1.2

What is it ?

How did pfSense obtain this 192.168.50.1/24 ?
Static setup ? DHCP (better) ?

What is the IP of the LAN of the upstream router ??

kilian77 · May 3, 2023, 8:50 AM

@gertjan the 2 ports of the pfsense must not be in the same subnet, so I put my WAN pfsense = 192.168.50.1 and my LAN PFSENSE = 192.168.1.2

My LAN = 192.168.1.1

Gertjan · May 3, 2023, 11:53 AM

@kilian77 said in Problem configuration OpenVPN:

@gertjan the 2 ports of the pfsense must not be in the same subnet

I know ;)

He didn't know that : this breaks everything :

@gertjan said in Problem configuration OpenVPN:

What is the IP of the LAN of the upstream router ??

?

kilian77 · May 3, 2023, 1:00 PM

@gertjan
I made changes since my last messages here are my addresses:

My LAN IP of my router is 192.168.1.1

Gertjan · May 3, 2023, 1:31 PM

@kilian77

That is as bad as it was before. So nothings works right now, and that's 'normal'.

I'll explain.

You already figured out that when you buy a connected device, like a router, they nearly all have "192.168.1.1/24" as a LAN interface.
This means you can not 'chain' these devices one after and presume it will work.
It won't work.

One solution- two methods :

You change the default LAN network of your ISP router from 192.168.1.1/24 to, for example, 192.168.50.1/24 (or 192.168.2.1/24 or something like that). Keep in mind that you change all other related settings, like for example the DHCP server for the LAN interface (if applicable).

Or

You change the default LAN network of your pfSense router from 192.168.1.1/24 to, for example, 192.168.50.1/24 (or 192.168.2.1/24 or something like that). Keep in mind that you change all other related settings, like for example the DHCP server for the LAN interface.

You can keep (I strongly suggest) the default WAN settings : that is : "DHCP" for IPv4 for pfSense. Static IPv4 on for WAN is for experts and ..... well, don't do static, please.

If you can create a MAC based DHCP lease setting on your ISP router for pfSense, then do so.
Because you are natting on your ISP router, you better make sure that pfSense always obtains the same IP.

Btw : these 'rules' or 'this knowledge' has nothing to do with your ISP router, or pfSense.
As soon as you you 'chain' one router after another, you have to make sure that they all use a distinct LAN 1RFD1918 network.
Otherwise you will break routing.

kilian77 · May 3, 2023, 1:28 PM

@gertjan I'm sorry I'm a beginner in the matter and there are a few points that I don't understand, why should I modify the LAN address of my ISP router and also modify that of the Pfsense LAN, if they remain in the same network?
Also if I put the WAN address in DHCP it assigns me an address in the same subnet as my router.
Thank you for your answer

Gertjan · May 3, 2023, 1:31 PM

@kilian77 said in Problem configuration OpenVPN:

router and also modify

One for you !

I omitted the "Or" word : I'll edit my post above.