Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    openvpn clients outside my router cannot establish communication

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    8
    282
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gasion
      last edited by

      hello, i am new to netgate openvpn configuration. I need help in establishing a connection from my remote device to my openvpn server.
      I had successfully configured a vpn server. I can connect client devices(using Openvpn Connect app) to my openvpn server but the problem is, I can only establish a connection if my server and my clients are on the same network. For example, my sg2100 netgate device's wan is connected to router A's lan and my client device(phone) is connected to router A's wifi.
      When I connect my phone to a different wifi, or any network outside my home network(where my sg2100 is connected), i cannot establish a vpn connection.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @gasion
        last edited by

        @gasion said in openvpn clients outside my router cannot establish communication:

        When I connect my phone to a different wifi, or any network outside my home network(where my sg2100 is connected), i cannot establish a vpn connection.

        When you are at home : get a PC, and type

        https://whatismyipaddress.com/

        and note down the IPv4 you see.
        This is not the WAN IP of your pfSense WAN interface, as you have a router in front of your pfSense.
        Visit the GUI of your ISP router, you probably will find the same IP you've already found.

        Now, go outside, switch off your Wifi, make sure your OpenVPN Connect app uses a config file that uses the IP you've found, and connect.

        You still can't connect, as you are maybe not aware that "every connection initiated from the Internet to your place" is blocked.
        This is what firewalls do after, and you have two of them ^^

        So, you have to create a so called NAT rule in your ISP device, that granted access "from any IP on the Internet" (well, maybe not any, but at lest the IP your phone is/was using while outside) with destination port 1194, protocol UDP.

        I said "1194 and UDP" as that's what I am using right now on pfSense :

        92bf0008-7f83-4f65-ad5d-7d07278a0cec-image.png

        After all : the traffic can only reach the pfSense WAN interface if your upstream ISP routers grants access "from the outside" this port 1194 (and UDP) to a device on it's LAN which is ... pfSense.

        You also have to specify in the ISP router NAT rule to which IP, a LAN IP on the ISP router, and you know the IP : it's the pfSense WAN IP.

        Btw : all this has nothing to do with Netgate. Neither pfSense.
        Whatever equipment you use, for decades now, the 'procedure' is always the same.

        As soon as you decide to connect to a device on your LAN from the outside (from the Internet), you have to create a NAT rule. This is valid for everybody.
        Because the OpenVPN server is running on pfSense itself, no need to create a NAT rule on pfSense itself, but you have to (see my WAN firewall rule) create a firewall rule on WAN to let the UDP traffic using port 1194 in. This rule is already crated if you used the pfSense OpenVPN wizard when you created the OpenVPN server. I know its the case, as when you cionenct to the ISP router Wifi, you can access the pfSense OpenVPN server. So that part is done.

        NATing your ISP router : you have to do that.

        This is an example of the NAT rule I use on my ISP router, so I can access my pfSense OpenVPN server :

        4d889b70-10c3-4dd3-9cb0-16fd2ca1434c-image.png

        where the 'equipment' called 'pfSense' is the WAN IP of my pfSense, which is 192.168.10.4 in my case.

        I'm sure you will say : but what happens when my WAN IP changes ? Do I need to modify my OpenVPN config file with the new IP ?
        Nope. That's why 'dyndns' exist 😊
        and from now on, you use this host name ( example : your-place-at-home.dyndns.tld ) you've created with your dyndns account and you use "your-place-at-home.dyndns.tld" instead of the IP in your openvpn client config.

        pfSensefor example, can be set up so it's updated the IP where your-place-at-home.dyndns.tld points to, if needed.

        And from now on, when you use the DNS host name "your-place-at-home.dyndns.tld", it will get resolved to the - your - WAN IP - so you can connect to home whenever you want.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        G 2 Replies Last reply Reply Quote 0
        • G
          gasion @Gertjan
          last edited by

          @Gertjan hello sir/maam! thankyou for the reply and sorry for the late response. When you mean creating a NAT rule on my ISP device, this means creating a portforwarding rule on my Router's web interface right? If so, I wanna ask which router should I do that since there are 2 routers before my sg2100.
          First one is from ISP, the main router, Router X; then on the isp router, there are 4 lans but i am using the 2 Lan ports for 2 secondary routers, connected to their Wan, router Y and router Z. My sg2100 is connected on router Y's lan port.

          1 Reply Last reply Reply Quote 0
          • G
            gasion @Gertjan
            last edited by

            @Gertjan hello! thankyou for your response. I had created a port forwarding rule on my router
            Screenshot 2025-01-03 172125.png
            internal ip address I inputted was the wan address of my netgate sg2100.
            I still cannot establish a remote vpn connection.
            Am I doing something wrong? these are my firewall rules.
            10111e86-70d6-44a9-936f-698805185d8f-image.png
            it says 0/0B on my Wan rules, does it mean no traffic is reaching my wan?
            a1c89e51-8067-406d-ae44-1a704fb3c9e2-image.png
            b42b6d90-0312-419f-b404-378c728fa2a5-image.png
            6b8c1f4d-ac23-4ea2-aaf0-7ae0b95c03bd-image.png

            I also put the ip address from whatsmyip into the server host name in ovpn configuration.
            8a114114-603f-4378-86dd-5a535fa65d34-image.png

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @gasion
              last edited by Gertjan

              @gasion

              This :

              9f071411-3263-4814-b26c-8217ec5a39a4-image.png

              means on the pfSense all is ok.

              This :

              bad1a071-720f-4694-a432-4b2e63cff755-image.png

              no UDP traffic, destination IP port 1194, was arriving on the pfSense WAN.
              If you have an upstream router : you have to make a NAT rule on that router.
              And you have to do this a second as you have 2 upstream routers.

              It's ok to create a setup with a router1 behind router2 behind a router3 (and so on), but to reach "from the Internet" a port on router1 (port 1194, UDP, in this case) you have to create a NAT rule on router2 that NAT its WAN to the LAN (both on router2), using port 1194 and UDP on both sides.
              And then the same tinhg again on router3

              Why did you list your LAN interface rules ? OpenVPN server traffic arrives at the OpenVPN server running on your pfSense. T

              What is a GASIONSERVER ? and why UDP only ?

              Your OpenVPN server interface is only UDP ... are you sure ?

              edit :

              When everything works, use only TLS/SSL only (third option), and if you really have to, add also password authentication (sixth option) - do not use the others.

              This : 92315308-a749-48a9-a3ad-e125de1578e0-image.png will do the trick.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              G 3 Replies Last reply Reply Quote 0
              • G
                gasion @Gertjan
                last edited by

                @Gertjan hello! Thankyou. I isolated the network, I had setup a new network. There's only 1 router before pfsense.
                On your question why I have Lan rules, because I was planning to bridge openvpn and pfsense Lan networks because I will be connecting a PC on pfsense's Lan that will host a web server.

                I have an Ewon device installed on a remote site that can be configured as an openvpn client. This ewon collects data from sensors on a remote building.

                I want my ewon to establish a vpn connection on my pfsense openvpn server.

                Once established, I will be bridging the Openvpn and pfsense Lan.

                I then will connect my pc on the pfsense Lan.
                This pc will host a web server that reads the data collected by the ewon.

                1 Reply Last reply Reply Quote 0
                • G
                  gasion @Gertjan
                  last edited by

                  @Gertjan GasionServer was the interface
                  of the openvpn server I created so I can bridge the openvpn and the pfsense Lan

                  1 Reply Last reply Reply Quote 0
                  • G
                    gasion @Gertjan
                    last edited by

                    @Gertjan GASIONSERVER was udp only because ewon protocol is udp

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.