OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1
-
Using a self-signed certificate, I configured my firewall to handle OpenVPN connections from my Mac and PC through the supplied wizard. Everything was working. However, my tinkering has caused me some problems. I went to my firewall rules and saw an OpenVPN tab. This makes sense because I just setup OpenVPN after all, but I noticed that there is an interface that is labeled OPT1. This thing has caused me to be booted from my remote connection twice now.
I was remotely logged in enabled the interface and then was booted from OpenVPN. (Is this because the daemon needs to be manually restarted?). After physically accessing the device I saw that under my Services Status the OpenVPN service had an X so I hit the refresh action. It enabled it and I was able to gain access through OpenVPN. So for some reason, I messed around again decided to change the OpenVPN interface name and I cannot regain access to the firewalls GUI through OpenVPN. Although my client is telling me I'm making a successful connection.
The documentation states that enabling this interface creates a tab inside the firewall rules page, but it seems like the wizard already did that and the interface is disabled. When enabling the interface it creates a second OpenVPN tab. What is the purpose of this interface? How do I prevent the OpenVPN daemon from restarting and losing my remote connection? Every time you change any setting in OpenVPN does it restart the service and therefor you cannot reconnect without physical access?
-
@catspecial202 said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:
The documentation states that enabling this interface creates a tab inside the firewall rules page, but it seems like the wizard already did that and the interface is disabled. When enabling the interface it creates a second OpenVPN tab. What is the purpose of this interface?
There is a rutes tab named OpenVPN. This is added by pfSense, when you set up an OpenVPN instance. You can not remove it nor disable it.
This a an interface group indeed and includes all OpenVPN instances running on pfSense, both servers and clients.
How do I prevent the OpenVPN daemon from restarting and losing my remote connection? Every time you change any setting in OpenVPN does it restart the service and therefor you cannot reconnect without physical access?
If you do changes on the OpenVPN instance and save it, the service has to be restarted, so that the new settings take effect.
The client should automatically reconnect after that. -
@viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:
This a an interface group indeed and includes all OpenVPN instances running on pfSense, both servers and clients.
Ah, so it's a group. What is the purpose of the other tab then?
@viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:
If you do changes on the OpenVPN instance and save it, the service has to be restarted, so that the new settings take effect.
The client should automatically reconnect after that.I only changed the interface's name and then saved and applied changes (the interface was not enabled). This booted me from the GUI. However, I can still connect to the VPN but cannot access any of my local networks.
-
@catspecial202 said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:
What is the purpose of the other tab then?
If you have assigned it you should be able to answer this question yourself. I don't know your reasons for doing that.
Consider that rules on interface group have priority over ones on member interfaces. So if there is a pass rule allowing any to any, rules on member interfaces would not have any affect.
However, I can still connect to the VPN but cannot access any of my local networks.
So what are your rules look like?
Do you have the local network stated at "Local Networks" in the OpenVPN server settings or "Redirect gateway" enabled?
-
@viragomann Unfortunately, I lost access and won't be able to regain access until I revisit the site tomorrow. I didn't implement any rules on my OpenVPN server; I only selected the boxes while installing OpenVPN with the wizard to create the required rules. OpenVPN had been working before I enabled the interface and then changed the interface's name. I never implemented any rules under the interface OPT1 tab. The only rule that is implemented is under the OpenVPN tab and I believe it's just IPv4 with * in all the fields.
@viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:
Consider that rules on interface group have priority over ones on member interfaces. So if there is a pass rule allowing any to any, rules on member interfaces would not have any affect.
So then enabling the OpenVPN interface creates an interface group? The single OpenVPN tab that is created when you setup the wizard is a member interface? (I don't know if this OpenVPN tab is their prior to the wizards use as I didn't look before I used the OpenVPN wizard.)
@viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:
What is the purpose of the other tab then?
I'm trying to understand the difference between the rules associated with the tab created when you enable the OpenVPN interface in assignments and the rules made under the tab that is purely labeled OpenVPN.