Network connectivity issue from OpenVPN client

CoffeeOrTea

I'm posting this here as I assume it's a firewall issue.

I just setup an OpenVPN server. I can connect from my phone to my network just fine. However, I don't have any network connectivity once the VPN connection establishes.

I have assigned the OpenVPN server to an interface (PhoneHome_VPN). Within the firewall rules, I have: PhoneHome_VPN and OpenVPN. By default, the OpenVPN tab doesn't have any rules configured and notes that it blocks all traffic until rules are created. Under PhoneHome_VPN, I have established the following rules:

Nothing was working, though. So, I noticed in the documentation that it stated:

Rules on assigned OpenVPN interface tabs are processed after rules on the OpenVPN tab

OK. So I created the following rules under the OpenVPN tab:

192.168.50.2 is the IP of my phone/client that connects into the network. Now, looking at the firewall logs, I can see that traffic is being passed successfully.

However, I still don't have any network connectivity on the client. Where do I go from here?

viragomann

@CoffeeOrTea said in Network connectivity issue from OpenVPN client:

I can connect from my phone to my network just fine. However, I don't have any network connectivity once the VPN connection establishes.

What do you want to access? Only server site networks or the internet?

Do you access remote devices with its IP or host name?
At least IP should work.
If not consider that the destination device can block the access from remote by its own firewall.

Your rule set on the assigned interface shows a allow-DNS to localhost rule. This only works if you forward the DNS traffic accordingly on this interface.

Gertjan

@CoffeeOrTea said in Network connectivity issue from OpenVPN client:

192.168.50.2

That's a local "RFC1918' IP.
The real test would be : don't use wifi (shut it down) and then connect 'from the outside' using celluarar data, or go outside, some where else, and use the wifi at some other place.

If you trust your phone ( ) you can also use this firewall rule :

I've tested it : it works great.
I can access the pfSense GUI, LAN devices, and use the pfSense 'internet' connection, as that's how I've set up VPN server and client on my phone (using the OpenVPN client app).

CoffeeOrTea

@viragomann said in Network connectivity issue from OpenVPN client:

What do you want to access?

The main use-case is services on my network. Second to that is WAN over the VPN if I'm traveling. However, I couldn't access anything, by IP or otherwise.

@Gertjan said in Network connectivity issue from OpenVPN client:

The real test would be : don't use wifi (shut it down) and then connect 'from the outside' using celluarar data

Yup, this is what I was doing. I also did set that wide-open firewall rule.

I was playing with the settings and ultimately found that my issue was "Force all traffic through the tunnel" (which I want to do). If that was set, then connectivity to anything/everything failed. If I uncheck that box, then an option to specify 'Accessible LANs' appears. I specified two subnets and then everything works.

I also fully deleted the VPN server that I had made and then recreated it, testing things along the way. If I enable "Force all traffic through the tunnel" and do not assign the OpenVPN server to an interface, then things also work well. But once I assign the OpenVPN server to an interface (with the force traffic through tunnel enabled), it fails.

So - as of now, I have "Force all traffic through the tunnel" disabled and have specified subnets to allow VPN clients to access. It's not exactly what I want, but it's working for the moment.

If anyone could explain the behavior assiciated with "Force all traffic through the tunnel", I would very much appreciate it. My understanding is that it simply doesn't allow split tunnel from the client end, which shouldn't cause any of the issues that I'm experiencing. Since it is, though, I'm assuming that my understanding is incorrect.

viragomann

@CoffeeOrTea
There is an outbound NAT needed for the OpenVPN tunnel network on WAN if you force upstream traffic over the VPN.
Is this added already? I not, you have to create the rule manually.

CoffeeOrTea

@viragomann

Upstream, meaning the WAN access?

I did create that, yes. I don't have a screenshot handy, but essentially the rule is:

Outbound Rule
Interface: WAN
Source: 192.168.50.0/24 (Tunnel subnet)
Destination: *
Translation Address: WAN Address

However, it wasn't just WAN access that was failing, it was everything. I couldn't ping/communicate with pfsense gateway/dns on the same tunnel network or servers on other subnets despite having wide-open allow rules.

Gertjan

@CoffeeOrTea

My :

never had to create anything.
192.168.3.0/24 is my OpenVPN tunnel IP network.
I don't recall adding what so ever manually.

Btw : 192.168.1.0/24, 192.168.2.0/24 and 192.168.100.0/24 are all my LANs

CoffeeOrTea

@Gertjan said in Network connectivity issue from OpenVPN client:

never had to create anything.

I've got my outbound NAT set to 'manual rule generation' rather than automatic. Odd though because I have the manual equivalent of the rule that you have. Still, that should only be for WAN access over the VPN whereas I can't even communicate with the gateway/other subnets [with 'force all traffic through tunnel' enabled].

That said, everything is working flawlessly right now due to disabling the 'force all traffic through tunnel' option and manually specifying accessible subnets. I just don't understand why the 'force all traffic through tunnel' breaks everything.

Gertjan

@CoffeeOrTea

I've "force all" set ...
( because : when I fire up my OpenVPN from my laptop phone etc, that is because I want to use one of devices on the pfSense LAN. I connect to these devices using their host names, known to unbound on pfSense. So, my phone will ask unbound what IP the device has, and I can connect.
I don't need to use my company's VPN access as a VPN to visit other, Internet based sites. )

CoffeeOrTea

@Gertjan

That's the configuration that I want to use, but it's the one that breaks everything for me. In order to get it to work, I have to uncheck that box, then manually specify the IPv4 Local networks.

Curious - do you have your OpenVPN server assigned to an interface?

The reason I ask is because enabling "Redirect IPv4 Gateway" works for me UNTIL I assign it to an interface, then everything breaks.

viragomann

@CoffeeOrTea said in Network connectivity issue from OpenVPN client:

That said, everything is working flawlessly right now due to disabling the 'force all traffic through tunnel' option and manually specifying accessible subnets. I just don't understand why the 'force all traffic through tunnel' breaks everything.

With "redirect gateway" checked, I expect, that you at least can access the remote LANs.
If that's not the case, I'd suspect, that there is an issue with your client. Maybe you can try another one.

CoffeeOrTea

@viragomann said in Network connectivity issue from OpenVPN client:

With "redirect gateway" checked, I expect, that you at least can access the remote LANs.
If that's not the case, I'd suspect, that there is an issue with your client. Maybe you can try another one.

I would expect that too, but that's the issue that I'm having. Client is Android phone with OpenVPN app. Are you saying to try another device, or app?

The only way that I've been able to get it to work is by configuring it this way. I would much rather get the "Redirect Gateway" option working, though.

Edit for clarification: The only way that I've been able to get it to work after assigning OpenVPN to an interface is to configure it as the picture below. If I don't assign OpenVPN to an interface, then "Redirect Gateway" works.

viragomann

@CoffeeOrTea said in Network connectivity issue from OpenVPN client:

Edit for clarification: The only way that I've been able to get it to work after assigning OpenVPN to an interface is to configure it as the picture below. If I don't assign OpenVPN to an interface, then "Redirect Gateway" works.

Not clear at the moment, why this happens, but there is no benefit of assigning an interface to an access server anyway.
This is only useful if you need to route traffic to the client site.

CoffeeOrTea

Follow up thought...

Because assigning my OpenVPN server to an interface automatically creates a new gateway, would I need edit this setting in the OpenVPN server config?

viragomann

@CoffeeOrTea
No, there is nothing to change after assigning the interface.