OpenVPN Automatic Rule Generation?



  • Hello I was trouble shooting why one of my OpenVPN site to site connections because I was having trouble connecting to the remote site. It would work for a couple of hours and then not work. If I restarted both routers then the site might come up for a little while but was acting very erratic. After looking in the OpenVPN logs for some answers something told me to check the firewall logs to see if the port was being blocked. It was being blocked! So my question is when you setup a new OpenVPN Server connection, doesn't Pfsense open that port for you? This particular server was using port 1196. I never had a problem with the server using port 1194. There was a rule for that but I don't remember adding it myself. Also how was my port # 1195 OVPN connection working, there was no rule for that?



  • for got to mention that the client site is running 2.1-RC0 (i386) built on Fri Jul 19 21:50:46 EDT 2013 and the server site is running 2.1-RC0 (i386) built on Thu May 23 19:52:31 EDT 2013 FreeBSD 8.3-RELEASE-p8.



  • What is the subnet you gave your pfsense?  Is it 192.168.1.1 on the LAN?
    What Subnet did you tell openvpn to use?
    Finally what subnet is your client on? 
    Is the client subnet the same as one your pfsense is using or that openvpn will assign to clients?
    Just wondering if there is some conflict from the same subnet being re-used in your mix somewhere?



  • No conflict,

    Local subnet 192.168.11.0/24
    remote subnet 192.168.120.0/24,192.168.121.0/24

    I have everything working now I just added the needed ports to the wan firewall rule. I'm just trying the understand the behavior of the OpenVPN settings. I thought like IPsec a rule was automatically generated for you so that I didn't need to do it. I have no problem opening the ports manually. Now that I'm looking at my home pfsense set up it looks like I have these ports opened up, I just didn't remember doing it myself.



  • Seems its always automatically opened those ports for me unless I had some other rule already in place on those ports.
    Strange that you had to do it by manually like that. I'm glad it works.  Although, I don't see why it ever worked at all before if thats the case?
    As you said, there was apparently no rule in place, so should not have worked at all for any period of time before.
    Are you 100% sure you didn't accidentally delete the rule after creating your openvpn server?
    Now that I have done.



  • It is possible that I did that, I tried making the server the opposite side when it couldn't get it to work reliably. Weird, I will have to play with this some more so we know the behavior. This is why we need the PfSense 2.1 book to come out! I'm ready to purchase.



  • You do have to make a rule manually. http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0) answered my own question. Sorry for my ignorance.



  • I'm still wondering why any other port other than 1194 worked at all. I did have a rule to allow OpenVPN traffic. Does that cover a range of ports or just 1194? Is PfSense allowing additional ports to ingress the WAN connection? Like I said it was problematic but I was able to get communication between sites for a little while without allowing the specific ports needed by creating the Firewall Rule.



  • I'm 100% absolutely sure that my ports were opened automatically when I used the wizard to configure mine initially now because I would never have manually labelled them the way they are labelled.  But Mine here are not site-to-site so thats probably the difference.

    I see they use no wizard for site-to-site setup in that how-to.


  • Banned

    Yeah, the wizard creates the rules, otherwise you need to set up your own.



  • That is correct I didn't use the wizard to make the site to site. I will do some further testing to make sure there is leakage of ports. For the record I'm not saying that PfSense is leaky I'm just noting that in my situation I was getting flakey connection with my remote site. If I didn't have the port opened up I would expect no connection. I will document the steps if anyone wants to try to duplicate the steps.