Attempting to port forward with an OpenVPN client [SOLVED]



  • Hi everyone!

    I was using a dd-wrt flashed router to act as a VPN gateway to my OpenVPN provider. Things were good, the router was pretty stable but bottlenecked at around 700-800kB/s. The provider explained my router can only process a certain volume of throughput, that the processor could only crypt and decrypt so quickly. Their recommendation was to use a standalone box to serve as my router to the dd-wrt router as a switch/AP.

    Their first recommendation was Windows with ICS. I understand that would be simple and quick but I wanted to run something with more functionality. After some research I came across pfSense, so I put together a decent box, and found a tutorial to install pfSense and setup an OpenVPN client to serve encrypted internet to the LAN.

    I ran into a few speedbumps that made me turn off GW monitoring, and some issues with my old router trying to assign itself pfSense's IP. But I've since worked through those.

    My issue now is port forwarding. I'd love to be able to port forward again.. I've found a few guides on the forum but none seem to apply to my situation closely enough that I can make the necessary changes to get it to work. It'd be soo cool if someone could please help me out with this!!

    My set up is

    [MODEM] -> [WAN] -> [STRONGVPN] <-> [LAN]
    I Hope I formatted that properly.

    I've included some screenshots to assist anyone that would like to help. Please let me know if I can post any more screen shots to help.

    The forum will not let me attach the screenshots I took, so I've uploaded them to Imgur instead.
    http://imgur.com/a/Jzztk



  • On your outbound NAT page you have duplicates.  (is that because STRONGVPN is a physical interface?) There still looks to be unnecessary duplicates.

    I don't believe you need manual outbound nat rules but should use automatic for ease.

    On your OpenVPN page:   Treat those as incoming.   Your actually allowing everyone on the outside access to your LAN.

    So-    Source is the VPN company and destination is your LAN, if you really want to do that and my guess is you don't.

    Rules read from top to bottom on all interfaces..

    On your LAN rules the first rule will happen before the second.  It seems you want all traffic to go through your VPN connection.  Disable the first "out to everything" rule.



  • I'm in IT by trade but my focus is not in networking. I followed this link (http://swimminginthought.com/update-strongvpn-pfsense-working-file-config/) to get StrongVPN up and running. When I set this up I did so with no practical experience setting up such a router and only that guide to work from. So I don't fully understand all of the settings I configured… any time I tried to apply my own "knowledge" to fix something it made things worse so I stuck with what the tutorial showed.

    I mirrored all of his screenshots to get it working. Except for Aliases, I found I was able to get DHCP to work without having to configure that.

    My goal is to have all of my LAN traffic routed securely through the VPN, and to be able to forward ports to allow RDP and open the appropriate ports for network devices.

    On your outbound NAT page you have duplicates.  (is that because STRONGVPN is a physical interface?) There still looks to be unnecessary duplicates.

    No, I have 2 physical NIC's. LAN is xl0 and WAN is em0.

    On your OpenVPN page:  Treat those as incoming.  Your actually allowing everyone on the outside access to your LAN.

    So-    Source is the VPN company and destination is your LAN, if you really want to do that and my guess is you don't.

    I definitely don't want everyone having open access to my internal LAN that's for sure!!  :o

    Thank you for responding!!  :)



  • Yup!  :)

    Seems some of his work is not necessary but Ive never done anything with StrongVPN before so cant really comment.

    With my remote offices and clients I have connected back here I really have a minimal config but can access their entire network from here with them (clients) unable to do the same. But my remote offices can.

    As an example Ill post a shot of one of my clients and the rule that allows me access to their entire network from my office here.  He has no other rules than default and does not go out the VPN, but you get the idea…




  • Is your router showing a connection to StrongVPN?

    : Status / OpenVPN-






  • Is your router showing a connection to StrongVPN?

    : Status / OpenVPN-

    Yes, I am connected to StrongVPN.

    Take a peek here-

    http://forum.pfsense.org/index.php/topic,29944.0.html

    This is the tutorial I began with. I was confused by his Part two - Step one, he has four interfaces where I would only have two. At Part two - Step four, under System > Routing > Gateways, I only have two gateways, where he has three. After three attempts of setting it up and resetting pfSense, I gave up and looked for another tutorial. That's when I found the tutorial with more screenshots and had better success.

    When I get home, should I reset and try to reconfigure according to the tutorial on pfSense? Is it too far gone to work with?

    ![pfsenselocaldomain - Status OpenVPN.png_thumb](/public/imported_attachments/1/pfsenselocaldomain - Status OpenVPN.png_thumb)
    ![pfsenselocaldomain - Status OpenVPN.png](/public/imported_attachments/1/pfsenselocaldomain - Status OpenVPN.png)



  • Save your config.   Go to the Diagnostics page and to Backup/Restore.

    If you decide to try something else then you can easily go back.

    Since your connection is active then its just a matter of getting everything to route over the VPN.

    Im of the belief that this can be done simply with the VPN client page and the "Advanced Config" box on the client config page on pfSense.  (someone correct me if Im wrong.)

    Im doing a little playing here with that idea meantime as my day kinda changed.



  • Done and done. I've already made a backup and a full set of screenshots just in case the backup fails somehow I can recreate it manually.



  • http://doc.pfsense.org/Create-OpenVPN-client-to-TUVPNcom.pdf

    Start at page 9.  Might be some helpful hints…

    Im noting that routing seems to work different between using certs and using shared key.  I use shared key and it just works. If I try to do the same using certs, I connect fine but can't seem to route.

    Im doing some crash coarse stuff right now myself I guess.



  • It's working correctly, following ericab's tutorial.  ;D

    I want to route internet from address 192.168.1.123 through to the VPN so that if I connect via VPN_IP_Address:Forwarded_port, I am connecting to my home LAN IP 192.168.1.123. I'm just not sure on how to.. exactly..



  • Cool!   :)

    For your port forward go to   Firewall/NAT

    create a new Port Forward rule.

    Allow any

    Allow any port.

    Heres one I use for my HTTPS webpage-  If you follow my settings (obviously enter your ports and ip) it will build a firewall rules automatically when you click save then apply.      :)




  • I'm trying to create a port forward in NAT like you have in your screenshot but I'm not seeing "Rule NAT" under Filter Rule Association.

    ![pfsenselocaldomain - Firewall NAT Port Forward Edit 2013-04-27 16-25-24.png](/public/imported_attachments/1/pfsenselocaldomain - Firewall NAT Port Forward Edit 2013-04-27 16-25-24.png)
    ![pfsenselocaldomain - Firewall NAT Port Forward Edit 2013-04-27 16-25-24.png_thumb](/public/imported_attachments/1/pfsenselocaldomain - Firewall NAT Port Forward Edit 2013-04-27 16-25-24.png_thumb)



  • Use "Create New Associated Filter Rule".

    After that if you come back to edit that Rule NAT will be there.



  • Added the rule, using your screenshot as a guide. I'm trying to connect to port 8462 from open internet and it appears closed still.

    ![2013-04-28 09_24_51-pfsense.png](/public/imported_attachments/1/2013-04-28 09_24_51-pfsense.png)
    ![2013-04-28 09_24_51-pfsense.png_thumb](/public/imported_attachments/1/2013-04-28 09_24_51-pfsense.png_thumb)



  • On your firewall rules page /WAN    can you provide a screenshot of that rule?    Also on that rule turn on logging. That way if the attempts make it to the firewall they will show up in the system logs.




  • @esde:

    Added the rule, using your screenshot as a guide. I'm trying to connect to port 8462 from open internet and it appears closed still.

    Does the server on port 8462 need to be configured to allow connects from the open internet?



  • I did not see an option to enable logging for this specific rule.

    Also, wallabybob, yes the server is configured to listen on 8462. I just changed the default RDP port, when I am able to see an open port I can connect via RDP no problem. The port is just not showing as open for the VPN IP:Forwarded Port.  :-\

    Just to clarify on the last sentence, if I take out the pfSense router and replace it with my old dd-wrt router with 8462 forwarded through the VPN with iptables, the port will show open and I can connect via RDP. So the workstation/server (whatever term you prefer) that I'm trying to connect to is properly configured to accept connections. It seems the problem is definitely in the routing on the pfSense box.

    ![2013-04-28 09_24_51-pfsense.png_thumb](/public/imported_attachments/1/2013-04-28 09_24_51-pfsense.png_thumb)
    ![2013-04-28 09_24_51-pfsense.png](/public/imported_attachments/1/2013-04-28 09_24_51-pfsense.png)
    ![2013-04-28 17_28_29-pfsense.esdehome - Firewall_ Rules.png_thumb](/public/imported_attachments/1/2013-04-28 17_28_29-pfsense.esdehome - Firewall_ Rules.png_thumb)
    ![2013-04-28 17_28_29-pfsense.esdehome - Firewall_ Rules.png](/public/imported_attachments/1/2013-04-28 17_28_29-pfsense.esdehome - Firewall_ Rules.png)



  • I suspect your firewall rule for port 8462 is wrong but I don't know enough about your configuration. If you re really doing port forwarding (rather than routing) then the destination IP address in an incoming (on the WAN interface) connection to your server won't have a destination IP address = the server address, the destination IP address will probably be the WAN interface IP address.

    Further, the destination address in the rule is a private IP address so it will match the first rule and hence will be blocked.



  • I did not see an option to enable logging for this specific rule.

    Look at my example above.  The arrow points to the logging which is found on the firewall rule.

    I suspect your firewall rule for port 8462 is wrong but I don't know enough about your configuration. If you re really doing port forwarding (rather than routing) then the destination IP address in an incoming (on the WAN interface) connection to your server won't have a destination IP address = the server address, the destination IP address will probably be the WAN interface IP address.

    Further, the destination address in the rule is a private IP address so it will match the first rule and hence will be blocked.

    When you do a port forward- that is the way the associated rule is written by the box. Works here.



  • Ive got a feeling that on your WAN rule that the Gateway needs to be associated with the VPN but logging will help to see if anything is making it.



  • @chpalmer:

    When you do a port forward- that is the way the associated rule is written by the box. Works here.

    Yes, you are correct. My mistake

    But then, won't first firewall rule on the WAN interface block the (attempted) port forward?



  • @wallabybob:

    @chpalmer:

    When you do a port forward- that is the way the associated rule is written by the box. Works here.

    Yes, you are correct. My mistake

    But then, won't first firewall rule on the WAN interface block the (attempted) port forward?

    I see what your saying..  Doesn't affect me here.  I think that means initiated from a private network…



  • Don't do the Port Forward on the WAN, place it on the StrongVPN interface as incoming traffic on the public vpn IP address will 'appear' on your strong VPN interface which is where you also need to place an allow rule.



  • @thermo:

    Don't do the Port Forward on the WAN, place it on the StrongVPN interface as incoming traffic on the public vpn IP address will 'appear' on your strong VPN interface which is where you also need to place an allow rule.

    Thank you sir, for your time and help!!! The port is now forwarded!!!  ;D ;D ;D

    Also, thank you to chpalmer and and wallabybob!!!



  • Don't do the Port Forward on the WAN, place it on the StrongVPN interface as incoming traffic on the public vpn IP address will 'appear' on your strong VPN interface which is where you also need to place an allow rule.

    Of coarse!  ::)    (hanging head in shame)

    Awsome- glad you got it going!  And thanks Thermo!  :)



  • @chpalmer:

    Don't do the Port Forward on the WAN, place it on the StrongVPN interface as incoming traffic on the public vpn IP address will 'appear' on your strong VPN interface which is where you also need to place an allow rule.

    Of coarse!   ::)    (hanging head in shame)

    You weren't the only one. I thought since the port forward was on the WAN it must be a new problem. Details!



  • The actual interface is the VPN so the rule applies there.

    Even though its a WAN connection the VPN passes through it and is therefore encrypted.


Log in to reply