Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with Linux OpenVPN server behind pfSense

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 2 Posters 7.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      horost
      last edited by

      I've had an OpenVPN server running behind my old Xincom dual wan router for a few years with no issues.  I've been running pfSense nanobsd 1.2.3-RELEASE in place of the Xincom for a few months now, but have not been able to access my OpenVPN server remotely with pfSense in front of it, although everything works fine if I swap the Xincom router back in.

      I have 2 WAN interfaces (WAN is PPPoE, OPT1 is DHCP) and 1 LAN interface (192.168.1.0 network) and have OpenVPN configured to use TCP with a http proxy to work around firewall issues when I'm connecting remotely with my PC.

      Based on how I got this working on my Xincom router, here's what I configured on pfSense to try to get OpenVPN working:

      • Forwarded port TCP/UDP port 1194 on both WAN interfaces to the OpenVPN server 192.168.1.247 (see attached screen grab)

      • Forwarded port TCP port 8888 on both WAN interfaces to port 3128 on the OpenVPN server 192.168.1.247 (see attached screen grab)

      • Set up static route for OpenVPN network (10.8.0.0) to use OpenVPN server 192.168.1.247 as gateway (see attached screen grab)

      • Enabled System->Advanced->Static route filtering->Bypass firewall rules for traffic on the same interface

      With this configuration, I get no acknowledgment from the OpenVPN client or server logs that any communication between them has taken place.  However, I do get firewall log entries for TCP:R and TCP:S traffic from source port 1194 on the OpenVPN 192.168.1.247 server to destination ports in the 60xxx range on the OPT1 interface.

      I'm probably missing something obvious with my pfSense configuration, but I would appreciate it if some of you more knowledgeable folks could point me in the right direction.

      Thanks!
      port_forward3.jpg
      port_forward3.jpg_thumb
      static_route.jpg
      static_route.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • H
        horost
        last edited by

        I'm still stuck on this one.

        Is it possible that the pfSense native OpenVPN server configuration is causing a conflict?  Do I need to explicitly disable something within pfSense?  ???

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          Do you have firewall rules on WAN and OPT1 for OpenVPN traffic?

          1 Reply Last reply Reply Quote 0
          • H
            horost
            last edited by

            Hi kpa,

            Thanks for the response.  I neglected to share my firewall rules in my initial post.  I've attached the screengrabs below.

            fw_WAN.jpg
            fw_WAN.jpg_thumb
            fw_OPT1.jpg
            fw_OPT1.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              Turn on logging in your firewall rules to see if the OpenVPN connections are actually reaching the firewall. Also I think you will need to turn on "Bypass firewall rules for traffic on the same interface" option in System->Advanced.

              1 Reply Last reply Reply Quote 0
              • H
                horost
                last edited by

                Hi kpa,

                I already had "Bypass firewall rules for traffic on the same interface" enabled so I'm good to go there.

                I turned on logging for both OpenVPN firewall rules and do see some traffic being passed, although LAN traffic from the OpenVPN server to the WAN IP of the OpenVPN client (see screengrab) appears to be blocked.  Do I need to add a LAN rule to allow this?  I've also attached a screengrab of my LAN firewall rules for good measure.

                The OpenVPN logs never indicate any kind of acknowledgment that a connection attempt has been initiated when residing behind pfSense, but the OpenVPN server does work perfectly with my old Xincom router.

                FW_log2.jpg
                FW_log2.jpg_thumb
                FW_LAN.jpg
                FW_LAN.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  I think the problem is the failover pools on LAN rules, try with this rule as the first rule in LAN rules:

                  Proto: all
                  Source: any
                  Destination:  network 10.8.0.0/24 ( I'm assuming it's /24)
                  Gateway: default

                  1 Reply Last reply Reply Quote 0
                  • H
                    horost
                    last edited by

                    @kpa:

                    I think the problem is the failover pools on LAN rules, try with this rule as the first rule in LAN rules:

                    Proto: all
                    Source: any
                    Destination:  network 10.8.0.0/24 ( I'm assuming it's /24)
                    Gateway: default

                    Unfortunately, no change with the new LAN rule:

                    Pass Aug 18 08:54:31 NG0 xxx.xxx.xxx.xxx:1524 192.168.1.247:1194 TCP:S
                    Pass Aug 18 08:54:58 NG0 xxx.xxx.xxx.xxx:1529 192.168.1.247:1194 TCP:S
                    Pass Aug 18 08:55:23 NG0 xxx.xxx.xxx.xxx:1531 192.168.1.247:1194 TCP:S
                    Block Aug 18 08:56:05 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1524 TCP:S
                    Block Aug 18 08:56:32 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1529 TCP:S
                    Block Aug 18 08:56:58 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1531 TCP:S

                    1 Reply Last reply Reply Quote 0
                    • K
                      kpa
                      last edited by

                      Does it work if you disable the LAN rules with failover and use the default allow all rule on LAN?

                      1 Reply Last reply Reply Quote 0
                      • H
                        horost
                        last edited by

                        Using the standard LAN rule with no failover produces the same result:

                        Pass Aug 18 11:02:58 NG0 xxx.xxx.xxx.xxx:1930 192.168.1.247:1194 TCP:S
                        Pass Aug 18 11:03:24 NG0 xxx.xxx.xxx.xxx:1933 192.168.1.247:1194 TCP:S
                        Pass Aug 18 11:03:50 NG0 xxx.xxx.xxx.xxx:1935 192.168.1.247:1194 TCP:S
                        Block Aug 18 11:04:31 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1930 TCP:S
                        Block Aug 18 11:04:58 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1933 TCP:S
                        Block Aug 18 11:05:24 LAN 192.168.1.247:1194 xxx.xxx.xxx.xxx:1935 TCP:S

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.