PfSense as OpenVPN client - no traffic through tunnel



  • I have no idea what I have done wrong here…

    I have configured an OpenVPN tunnel that I have confirmed is up and running.

    From the pfSense box I can ping the remote internal LAN interface on the router:

    From a client on the internal LAN on my side I can't get traffic across:

    I am quite certain I have the gateway set up properly:

    And I have an interface configured:

    The status page for the OpenVPN tunnel shows it as up (not sure what is going on with those latency times !):

    Routing table on the pfSense box looks correct to me:

    I have set a firewall rule for this interface (not sure if that was needed):

    NAT has been left set to auto.

    You can see here in a packet capture that the ICMP request goes from the tunnel endpoint address (10.22.22.6) to the remote router (192.168.12.1) and the ICMP reply comes back but I never see it on a local LAN subnet machine (on the 192.168.10.0/24 network).

    Can anyone please help me get this sorted ?



  • First lets clarify your intentions.  What are you trying to do?  Site-to-Site tunnel?  Connect to a VPN service and use it as your WAN?



  • @marvosa:

    First lets clarify your intentions.  What are you trying to do?  Site-to-Site tunnel?  Connect to a VPN service and use it as your WAN?

    Sorry - I should have explained that.

    I am trying to get a site to site tunnel up. On this end I am on a 192.168.10.0/24 subnet and the remote side (OpenVPN server side) is a 192.168.12.0/24 subnet. I am using the pfSense box as the OpenVPN client.

    My remote end server conf file:

    daemon
    server 10.22.22.0 255.255.255.0
    proto udp
    port 23012
    dev tun22
    cipher AES-256-CBC
    keepalive 15 60
    verb 3
    tls-auth static.key 0
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    # Custom Configuration
    route 192.168.10.0 255.255.255.0
    

    The OpenVPN client config:

    dev ovpnc2
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.243.xxx.86
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client2.sock unix
    remote xxxxxx.dyndns.org 23012
    ifconfig 10.22.22.2 10.22.22.1
    route 192.168.12.0 255.255.255.0
    ca /var/etc/openvpn/client2.ca 
    cert /var/etc/openvpn/client2.cert 
    key /var/etc/openvpn/client2.key 
    tls-auth /var/etc/openvpn/client2.tls-auth 1
    resolv-retry infinite
    


  • @ilium007:

    @marvosa:

    First lets clarify your intentions.  What are you trying to do?  Site-to-Site tunnel?  Connect to a VPN service and use it as your WAN?

    Sorry - I should have explained that.

    I am trying to get a site to site tunnel up. On this end I am on a 192.168.10.0/24 subnet and the remote side (OpenVPN server side) is a 192.168.12.0/24 subnet. I am using the pfSense box as the OpenVPN client.

    My remote end server conf file:

    daemon
    server 10.22.22.0 255.255.255.0
    proto udp
    port 23012
    dev tun22
    cipher AES-256-CBC
    keepalive 15 60
    verb 3
    tls-auth static.key 0
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    # Custom Configuration
    route 192.168.10.0 255.255.255.0
    

    The OpenVPN client config:

    dev ovpnc2
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.243.xxx.86
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client2.sock unix
    remote xxxxxx.dyndns.org 23012
    ifconfig 10.22.22.2 10.22.22.1
    route 192.168.12.0 255.255.255.0
    ca /var/etc/openvpn/client2.ca 
    cert /var/etc/openvpn/client2.cert 
    key /var/etc/openvpn/client2.key 
    tls-auth /var/etc/openvpn/client2.tls-auth 1
    resolv-retry infinite
    

    As I said earlier - the VPN is up. I can ping the remote router (192.168.12.1) from the pfsense box, just not from a client on the 192.168.10.0/24 network.



  • From what I can see, the server end does not reply to packets from the client LAN (192.168.10*). Does the server end have firewall rules to allow incoming packets from 192.168.10.*?



  • @phil.davis:

    From what I can see, the server end does not reply to packets from the client LAN (192.168.10*). Does the server end have firewall rules to allow incoming packets from 192.168.10.*?

    Yes it does. I can use the exact same certs and config on a software client (Viscosity on OSX) and it works fine.



    • Set NAT to manual; saved; applied changes

    • Set a F/W rule to route ALL traffic via gateway; pings came alive and I confirmed by going to whatismyip.com I was routing all traffic via remote VPN router.

    • Removed the above rule and pings keep going and confirmed I was no longer sending all traffic via remote VPN router by going back to whatismyip.com and could see my local IP



  • @ilium007:

    • Set NAT to manual; saved; applied changes

    • Set a F/W rule to route ALL traffic via gateway; pings came alive and I confirmed by going to whatismyip.com I was routing all traffic via remote VPN router.

    • Removed the above rule and pings keep going and confirmed I was no longer sending all traffic via remote VPN router by going back to whatismyip.com and could see my local IP

    Furthermore, I have set firewall rules on the 'OpenVPN' tab, the 'xxxxVPN' tab (the interface I created) and the 'LAN' tab in the firewall rules section to block traffic and I can still freely push traffic across the VPN tunnel.

    How do you apply F/W rules to VPN traffic ?



  • The rules on OpenVPN and the OpenVPN interface you created apply to new traffic flows arriving in at those interfaces (i.e. new traffic originating from the other end of the VPN link). When you start a ping from your end, it gets going based on rules on LAN that allow the first packet, then the ping/echo reply will get paired up with the original ping and be allowed back through the firewall regardless of rule on OpenVPN tab/s.
    The OpenVPN interface you created is not normally needed for what you are doing. A normal site-to-site link that routes between some private subnets will work fine by;
    a) putting the appropriate subnets in the Local Network and Remote Network fields of the OpenVPN GUI. This makes the routes happen.
    b) Add firewall rules on the general OpenVPN tab (and equivalent at the other end) to allow the traffic you want to come in on the OpenVPN.
    c) Add firewall rules on LAN to allow traffic from LAN subnet to the remote subnet (probably there is already a rule to allow all, which does the job)
    There should be no need to add policy-routing rules.

    Perhaps try to simplify things - remove the OpenVPN interface you made, and the policy-routing rules, and just have an "ordinary" site-to-site link.



  • Just out of curiosity, what kind of device is on the server-side?


Log in to reply