Help with Linux OpenVPN server behind pfSense



  • I've had an OpenVPN server running behind my old Xincom dual wan router for a few years with no issues.  I've been running pfSense nanobsd 1.2.3-RELEASE in place of the Xincom for a few months now, but have not been able to access my OpenVPN server remotely with pfSense in front of it, although everything works fine if I swap the Xincom router back in.

    I have 2 WAN interfaces (WAN is PPPoE, OPT1 is DHCP) and 1 LAN interface (192.168.1.0 network) and have OpenVPN configured to use TCP with a http proxy to work around firewall issues when I'm connecting remotely with my PC.

    Based on how I got this working on my Xincom router, here's what I configured on pfSense to try to get OpenVPN working:

    • Forwarded port TCP/UDP port 1194 on both WAN interfaces to the OpenVPN server 192.168.1.247 (see attached screen grab)

    • Forwarded port TCP port 8888 on both WAN interfaces to port 3128 on the OpenVPN server 192.168.1.247 (see attached screen grab)

    • Set up static route for OpenVPN network (10.8.0.0) to use OpenVPN server 192.168.1.247 as gateway (see attached screen grab)

    • Enabled System->Advanced->Static route filtering->Bypass firewall rules for traffic on the same interface

    With this configuration, I get no acknowledgment from the OpenVPN client or server logs that any communication between them has taken place.  However, I do get firewall log entries for TCP:R and TCP:S traffic from source port 1194 on the OpenVPN 192.168.1.247 server to destination ports in the 60xxx range on the OPT1 interface.

    I'm probably missing something obvious with my pfSense configuration, but I would appreciate it if some of you more knowledgeable folks could point me in the right direction.

    Thanks!





  • I'm still stuck on this one.

    Is it possible that the pfSense native OpenVPN server configuration is causing a conflict?  Do I need to explicitly disable something within pfSense?  ???



  • Do you have firewall rules on WAN and OPT1 for OpenVPN traffic?



  • Hi kpa,

    Thanks for the response.  I neglected to share my firewall rules in my initial post.  I've attached the screengrabs below.






  • Turn on logging in your firewall rules to see if the OpenVPN connections are actually reaching the firewall. Also I think you will need to turn on "Bypass firewall rules for traffic on the same interface" option in System->Advanced.



  • Hi kpa,

    I already had "Bypass firewall rules for traffic on the same interface" enabled so I'm good to go there.

    I turned on logging for both OpenVPN firewall rules and do see some traffic being passed, although LAN traffic from the OpenVPN server to the WAN IP of the OpenVPN client (see screengrab) appears to be blocked.  Do I need to add a LAN rule to allow this?  I've also attached a screengrab of my LAN firewall rules for good measure.

    The OpenVPN logs never indicate any kind of acknowledgment that a connection attempt has been initiated when residing behind pfSense, but the OpenVPN server does work perfectly with my old Xincom router.






  • I think the problem is the failover pools on LAN rules, try with this rule as the first rule in LAN rules:

    Proto: all
    Source: any
    Destination:  network 10.8.0.0/24 ( I'm assuming it's /24)
    Gateway: default



  • @kpa:

    I think the problem is the failover pools on LAN rules, try with this rule as the first rule in LAN rules:

    Proto: all
    Source: any
    Destination:  network 10.8.0.0/24 ( I'm assuming it's /24)
    Gateway: default

    Unfortunately, no change with the new LAN rule:

    Pass Aug 18 08:54:31 NG0 xxx.xxx.xxx.xxx:1524 192.168.1.247:1194 TCP:S
    Pass Aug 18 08:54:58 NG0 xxx.xxx.xxx.xxx:1529 192.168.1.247:1194 TCP:S
    Pass Aug 18 08:55:23 NG0 xxx.xxx.xxx.xxx:1531 192.168.1.247:1194 TCP:S
    Block Aug 18 08:56:05 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1524 TCP:S
    Block Aug 18 08:56:32 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1529 TCP:S
    Block Aug 18 08:56:58 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1531 TCP:S



  • Does it work if you disable the LAN rules with failover and use the default allow all rule on LAN?



  • Using the standard LAN rule with no failover produces the same result:

    Pass Aug 18 11:02:58 NG0 xxx.xxx.xxx.xxx:1930 192.168.1.247:1194 TCP:S
    Pass Aug 18 11:03:24 NG0 xxx.xxx.xxx.xxx:1933 192.168.1.247:1194 TCP:S
    Pass Aug 18 11:03:50 NG0 xxx.xxx.xxx.xxx:1935 192.168.1.247:1194 TCP:S
    Block Aug 18 11:04:31 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1930 TCP:S
    Block Aug 18 11:04:58 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1933 TCP:S
    Block Aug 18 11:05:24 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1935 TCP:S


Log in to reply