Can only connect to VPN from internal network not from External
-
I'm new to pfSense and having trouble getting OpenVPN to work outside my network. Here’s what I’ve done so far:
OpenVPN works perfectly when connecting via the LAN using the internal interface.
I registered my public IP with a DDNS hostname through Cloudflare for external access.The issue: When I try to connect from outside the network, I get stuck at "Attempting to establish TCP connection with AF_INET:1194."
Any suggestions on what might be causing this or what I could check next?
Thanks in advance for your help!
Any information I could provide or insight would be greatly appreciated. I am setting this up to learn so I may not know everything but my main goal here is to learn. Thanks
-
@evang is it not resolving that ddns name you gave.. The client doesn't give an IP its trying to connect too just
"Attempting to establish TCP connection with AF_INET:1194"
There should be an IP there. Your public IP.. And you would need firewall rule to allow it on your wan. If you ran through the wizard to setup openvpn that rule should of been auto created... Do you have any rules above it that would be blocking your source IP? Or rules in floating that would?
-
Hey John,
Here are my current rules
The log entry I provided did have a public IP I just chose to not include it for security reasons
Attempting to establish TCP connection with [AF_INET]my-public-ip:1194 -
@evang well looks like you ran through the wizard a few times - see multiple copies of the rule.. but notice the 0 / 0 B that means pfsense never saw any traffic that matched it..
Since your top rfc1918 rule has seen a lot of traffic on it 74MB, I take it pfsense is behind a nat? Not sure why else it would be seeing so much rfc1918 traffic on its wan?
If pfsense wan is not public, ie behind some nat router then you would have to make sure your router in front of pfsense forwards the traffic to pfsense wan IP.
Does pfsense wan have a rfc1918 address on it, 10.x or 172.16-31.x or 192.168.x -- or maybe a cgnat range 100.64-127.x ?
-
@johnpoz
Hey John,Here is a crude drawing of my network topology. In this case would I need to have my router forward the traffic from the router to my pfsense box?
Also not too sure how to answer this
"Does pfsense wan have a rfc1918 address on it, 10.x or 172.16-31.x or 192.168.x -- or maybe a cgnat range 100.64-127.x ?"
Where would I find this information
-
@evang said in Can only connect to VPN from internal network not from External:
Where would I find this information
look on pfsense wan interface - what does it show.. You can either see it on the interfaces widget on the main page, or under status interfaces
But from a drawing showing ROUTER in front of pfsense I would bet large some of money you have private IP on pfsense wan.
-
-
@evang as I thought that is a rfc1918 address 192.168.x.x - so unless you forward port 1194 on that router in front of pfsense that has your public IP on it to this 192.168.x.x of pfsense. Pfsense would never see any traffic to allow for making a openvpn connection on port 1194
It might be better to remove that router from your network.. If it is providing wifi, move it to be behind pfsense and just use it as an Access Point.
Users also confuse modem and gateway, if that device you call is actually a gateway and not a true say cable modem only and a gateway that is a modem/router combo then you could be behind 2 nats before pfsense wan IP.
-
I may take your advice on moving the router behind it but I may do that later down the road. I went into my router settings and found the port forwarding settings. Does this look correct?
-
@evang yeah that should work.. As long as this router actually has a public IP on its wan, and not behind another nat device that your calling a modem on your drawing.. and that 192.168.x.x address is pfsense wan IP.
btw little reason to hide a rfc1918 address.. They do not route on the internet, and everyone uses them as well.
For example my lan is 192.168.9.0/24 with my pc on 192.168.9.100 and pfsense IP is 192.168.9.253 - is there something you could glean from that info? That would give any clue to where I am at? Might as well tell you I live on the planet earth ;)
-
You are 100% correct that would not provide any insight at all lol, Still learning so forgive me.
How would I verify if my router has a public IP? I have a netgear router -
@evang you should be able to look on your netgear router gui for its wan info.. What is the model number of the thing your calling a modem in your drawing.. From the model number can tell you if just a modem, or a gateway (modem/router combo) for example I have a arris S33 it just a cable modem.. not nat.
Another way to tell if that device is a gateway - does it have more than 1 ethernet ports.. Some new modems have 2, mine has 1 1ge and another 2.5ge interface.. But if it has like 4 or something that yeah its a gateway and just not a modem.
-
My modem is a Netgear CM700. I think it is just a modem so no NAT. I am not seeing in the settings where the public IP of my Router is
-
@evang what netgear is it? yeah a cm700 is just a modem.. So the netgear should have public on it.. If you go to like whats my IP that should be what your public is so yeah setting the port forward on there should work - if your ddns is pointing to the correct IP.
-
I got it working now! Thank you so much! So, lessons learned here. If I want to access resources behind a router, I will need to use port forwarding in order to properly route the traffic to that machine. Correct?
-
@evang yeah and you have 2 nat routers so you would have to port forward twice if you have something behind pfsense
