Portforwarding while using a public VPN provider
-
Hello!
I have setup my pfSense box to connect to a public VPN service (vpntunnel.se), and to use this tunnel for all traffic. In order to get routing to work, I had to setup outbound NAT to the OpenVPN tunnel.
I am having problems configuring portforwarding when using the OpenVPN tunnel. I have create a rule in the NAT overview, and chose to create a corresponding filter. Here is a screenshot of my configuration:
http://bildr.no/view/732992Is there anything in particular I need to do to allow access when using a OpenVPN adapter? The log entries show that the connections are blocked by the default block rule. Here is a example from my logs: http://pastebin.com/gzWduvZv
If I click the block icon in the log, the following explanation pops up:
The rule that triggered this action is: @2 block drop in log all label "Default deny rule"Is there any more information I can provide?
Thanks for your help, it's much appreciated.
- Zappza
-
Hmm, NAT rule for OpenVPN interface with Destination WAN…
So the traffic is then blocked at the WAN interface (by the default rule)?
The corresponding filter rule also has WAN as destination?
-
Hi!
Thanks for your reply.No, the filter rule has my server's local IP as destination. 192.168.4.9.
I just tried to set the destination to the IP I was provided by the VPN provider, and voilà! It works. This is far from an ideal solution though, as my IP address changes each time I reconnect to the VPN. Is there anything I can do to avoid loosing portforwarding when my connection drops?
-
Nice to hear that it works! 8)
I will probably also try their service, nice to see an VPN service provider that forwards all the ports to your public OpenVPN IP :)
Does your OpenVPN connection "renegotiate" every time your ISP's DHCP lease time renews?
And if that's true, does the IP (from vpntunnel.se) change every time that happens? Or is it only changing when you manually disconnect and later connect again?
-
If you disable NAT reflection for the rule, you should be able to just specify "any" for the destination without any problems.
-
Nice to hear that it works! 8)
I will probably also try their service, nice to see an VPN service provider that forwards all the ports to your public OpenVPN IP :)
Does your OpenVPN connection "renegotiate" every time your ISP's DHCP lease time renews?
And if that's true, does the IP (from vpntunnel.se) change every time that happens? Or is it only changing when you manually disconnect and later connect again?
I seems that the connection renegotiates when it needs to. I can't tell for sure, as I don't know when the DHCP lease expires, and the log gets filled up with en-/decryption related messages. What I can tell you, is that it's a set and forget solution. Once you get the connection configured properly, it works. You don't have to manually reconnect or anything, it's all happening automaticly.
I will try to monitor my public IP, but it doesn't really matter to me, as I use dynamic DNS anyway. I'll post a guide with instructions to set up the tunnel, as there was some tweaking needed.
If you need it immediatly, send me a PM and I'll send you the document. At the moment it's mostly my own rabbelings, and it needs to be rewritten.
@Efonne:If you disable NAT reflection for the rule, you should be able to just specify "any" for the destination without any problems.
I just tried that, but sadly it didn't work. I get an error while trying to apply the rule.
There were error(s) loading the rules: /tmp/rules.debug:49: syntax error/tmp/rules.debug:50: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [49]: no nat on openvpn proto tcp from (openvpn) to / ... -
Just posted my guide:
http://forum.pfsense.org/index.php/topic,28969.0.htmlI'll update it with instructions for portforwarding ASAP.
-
-
I will try to monitor my public IP, but it doesn't really matter to me, as I use dynamic DNS anyway.
Do you get a public IP on the VPN? If so and if you are using dynamic DNS for your address on the VPN, you could use your dynamic DNS host name as destination by putting it in an alias and then using that alias for destination. When the rules are loaded, it will automatically be resolved to the IP address.
This would also work even if it isn't a public IP if you are updating a dynamic DNS host name with your actual address on the VPN, rather than the public IP seen when you access things through the VPN. Basically, you would just need some host name updated with the address your pfSense box is getting assigned to it.
-
That appeared to work! Thanks a lot!