ICMP through OpenVPN



  • I am in testing stages of doing Site to Client implementation of OpenVPN that is built into PFSense.  I am absolutely amazed at how well PFSense performs (great work).

    I am having a slight issue however, perhaps there is something small I am missing.

    I have a separate gateway on my lan that is at 10.100.251.2.  When I set up a PPTP Server and connect to the PPTP Server, this gateway is completely accessible.  I even have static routes in PFSense that go through this gateway.  It work like magic.

    However,  When I set-up OpenVPN,  I can ping and connect to every machine on the lan except this gateway.  I have ruled it down possibly to the fact that ICMP is not properly being ported through to this gateway.

    There is no way to directly configure OpenVPN in the Firewall rules, as there is with PPTP.

    Is this a known issue with OpenVPN or PFSense?

    I would really like to start using OpenVPN as I plan to do site-to-site bridging with it to our other offices.

    Again, a great piece of software, thank you kindly for all your hard work.



  • There IS a way to directly configure OpenVPN firewall rules, but it's not widely known nor talked about. It's through the LAN interface.

    Make a firewall rule on the LAN interface that is specific to this particular situation and put it on top. See if that helps.



  • @Helix26404:

    There IS a way to directly configure OpenVPN firewall rules, but it's not widely known nor talked about. It's through the LAN interface.

    Make a firewall rule on the LAN interface that is specific to this particular situation and put it on top. See if that helps.

    Most likely because that only handles one side of the conversation.  We do not talk about it because its not a real fix.

    Unless you control both ends of the tunnel you will feel secure but the oppisite is true.  Therefore we simply say there is no firewall rules possible on 1.0 across OpenVpn and IPSEC tunnels, but, we are working on this.



  • thanks for the suggestion…

    I gave it a try, but no luck... Essentially the "Default --> LAN any"  should be sufficient to pass this rule along to the OpenVPN, shouldn't it?

    It is good to know that OpenVPN rules are a planned feature!

    I will have to wait till this is implemented.. PPTP should be sufficient for my companies laptop users right now.

    Unless, there is some other suggestion..

    Thanks.



  • I couldn't use the Default -> LAN any, because I am using Outbound NAT. Therefore, I had to explicitly tell pfSense to pass traffic from any source to my destination network (the pfSense interface network) using it's own routing table (choose default on the gateway drop-down).



  • @sullrich:

    @Helix26404:

    There IS a way to directly configure OpenVPN firewall rules, but it's not widely known nor talked about. It's through the LAN interface.

    Make a firewall rule on the LAN interface that is specific to this particular situation and put it on top. See if that helps.

    Most likely because that only handles one side of the conversation.  We do not talk about it because its not a real fix.

    Unless you control both ends of the tunnel you will feel secure but the oppisite is true.  Therefore we simply say there is no firewall rules possible on 1.0 across OpenVpn and IPSEC tunnels, but, we are working on this.

    Gotcha. So this is why anyone in the remote network can access anything in the local network (pfSense-side if we're assuming it's the server) provided the routes are set up correctly on the client-side.

    I was racking my brain trying to figure out why I could get traffic IN through the tun0 interface, but I couldn't get OUT unless I was using the pfSense box itself. At first I thought it was a route issue, but then realized that the firewall was locking it down. Setting up explicit rules permitting traffic from any source to destination OPVN interface and destination OPVN remote network did the trick.

    Thanks for the elaboration from the "inside". :)


Log in to reply