• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help with Linux OpenVPN server behind pfSense

Scheduled Pinned Locked Moved OpenVPN
10 Posts 2 Posters 7.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    horost
    last edited by Aug 6, 2010, 3:47 PM

    I've had an OpenVPN server running behind my old Xincom dual wan router for a few years with no issues.  I've been running pfSense nanobsd 1.2.3-RELEASE in place of the Xincom for a few months now, but have not been able to access my OpenVPN server remotely with pfSense in front of it, although everything works fine if I swap the Xincom router back in.

    I have 2 WAN interfaces (WAN is PPPoE, OPT1 is DHCP) and 1 LAN interface (192.168.1.0 network) and have OpenVPN configured to use TCP with a http proxy to work around firewall issues when I'm connecting remotely with my PC.

    Based on how I got this working on my Xincom router, here's what I configured on pfSense to try to get OpenVPN working:

    • Forwarded port TCP/UDP port 1194 on both WAN interfaces to the OpenVPN server 192.168.1.247 (see attached screen grab)

    • Forwarded port TCP port 8888 on both WAN interfaces to port 3128 on the OpenVPN server 192.168.1.247 (see attached screen grab)

    • Set up static route for OpenVPN network (10.8.0.0) to use OpenVPN server 192.168.1.247 as gateway (see attached screen grab)

    • Enabled System->Advanced->Static route filtering->Bypass firewall rules for traffic on the same interface

    With this configuration, I get no acknowledgment from the OpenVPN client or server logs that any communication between them has taken place.  However, I do get firewall log entries for TCP:R and TCP:S traffic from source port 1194 on the OpenVPN 192.168.1.247 server to destination ports in the 60xxx range on the OPT1 interface.

    I'm probably missing something obvious with my pfSense configuration, but I would appreciate it if some of you more knowledgeable folks could point me in the right direction.

    Thanks!
    port_forward3.jpg
    port_forward3.jpg_thumb
    static_route.jpg
    static_route.jpg_thumb

    1 Reply Last reply Reply Quote 0
    • H
      horost
      last edited by Aug 17, 2010, 1:41 PM

      I'm still stuck on this one.

      Is it possible that the pfSense native OpenVPN server configuration is causing a conflict?  Do I need to explicitly disable something within pfSense?  ???

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by Aug 17, 2010, 2:06 PM

        Do you have firewall rules on WAN and OPT1 for OpenVPN traffic?

        1 Reply Last reply Reply Quote 0
        • H
          horost
          last edited by Aug 17, 2010, 2:54 PM

          Hi kpa,

          Thanks for the response.  I neglected to share my firewall rules in my initial post.  I've attached the screengrabs below.

          fw_WAN.jpg
          fw_WAN.jpg_thumb
          fw_OPT1.jpg
          fw_OPT1.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by Aug 17, 2010, 10:41 PM

            Turn on logging in your firewall rules to see if the OpenVPN connections are actually reaching the firewall. Also I think you will need to turn on "Bypass firewall rules for traffic on the same interface" option in System->Advanced.

            1 Reply Last reply Reply Quote 0
            • H
              horost
              last edited by Aug 18, 2010, 12:28 PM

              Hi kpa,

              I already had "Bypass firewall rules for traffic on the same interface" enabled so I'm good to go there.

              I turned on logging for both OpenVPN firewall rules and do see some traffic being passed, although LAN traffic from the OpenVPN server to the WAN IP of the OpenVPN client (see screengrab) appears to be blocked.  Do I need to add a LAN rule to allow this?  I've also attached a screengrab of my LAN firewall rules for good measure.

              The OpenVPN logs never indicate any kind of acknowledgment that a connection attempt has been initiated when residing behind pfSense, but the OpenVPN server does work perfectly with my old Xincom router.

              FW_log2.jpg
              FW_log2.jpg_thumb
              FW_LAN.jpg
              FW_LAN.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by Aug 18, 2010, 12:43 PM

                I think the problem is the failover pools on LAN rules, try with this rule as the first rule in LAN rules:

                Proto: all
                Source: any
                Destination:  network 10.8.0.0/24 ( I'm assuming it's /24)
                Gateway: default

                1 Reply Last reply Reply Quote 0
                • H
                  horost
                  last edited by Aug 18, 2010, 1:04 PM

                  @kpa:

                  I think the problem is the failover pools on LAN rules, try with this rule as the first rule in LAN rules:

                  Proto: all
                  Source: any
                  Destination:  network 10.8.0.0/24 ( I'm assuming it's /24)
                  Gateway: default

                  Unfortunately, no change with the new LAN rule:

                  Pass Aug 18 08:54:31 NG0 xxx.xxx.xxx.xxx:1524 192.168.1.247:1194 TCP:S
                  Pass Aug 18 08:54:58 NG0 xxx.xxx.xxx.xxx:1529 192.168.1.247:1194 TCP:S
                  Pass Aug 18 08:55:23 NG0 xxx.xxx.xxx.xxx:1531 192.168.1.247:1194 TCP:S
                  Block Aug 18 08:56:05 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1524 TCP:S
                  Block Aug 18 08:56:32 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1529 TCP:S
                  Block Aug 18 08:56:58 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1531 TCP:S

                  1 Reply Last reply Reply Quote 0
                  • K
                    kpa
                    last edited by Aug 18, 2010, 2:40 PM

                    Does it work if you disable the LAN rules with failover and use the default allow all rule on LAN?

                    1 Reply Last reply Reply Quote 0
                    • H
                      horost
                      last edited by Aug 18, 2010, 3:09 PM

                      Using the standard LAN rule with no failover produces the same result:

                      Pass Aug 18 11:02:58 NG0 xxx.xxx.xxx.xxx:1930 192.168.1.247:1194 TCP:S
                      Pass Aug 18 11:03:24 NG0 xxx.xxx.xxx.xxx:1933 192.168.1.247:1194 TCP:S
                      Pass Aug 18 11:03:50 NG0 xxx.xxx.xxx.xxx:1935 192.168.1.247:1194 TCP:S
                      Block Aug 18 11:04:31 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1930 TCP:S
                      Block Aug 18 11:04:58 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1933 TCP:S
                      Block Aug 18 11:05:24 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1935 TCP:S

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received