OpenVPN from WAN (cell phone)



  • i created a CA, a user (for vpn access), and followed the wizard to setup the OpenVPN server and it appears that i entered in the correct prompts.

    i exported the android file from pfsense and emailed it to myself so i can save it to my phone.  on the LAN, the android OpenVPN app connected and used the vpn LAN ip i assigned, 192.168.2.6 (lan is 192.168.1.1).

    when i disconnect from my wifi and attempt to connect from the WAN, the OpenVPN app doesn't connect, it states that it is waiting on the server.

    i did click to add and permit the firewall rules in the last step of the wizard.  is there something obvious that i forgot?



  • Does your pfSense WAN have a static public IP address? If so, then that should end up in the OpenVPN client config file and work (when doing client export, choosing Host Name Resolution = Interface IP Address
    But otherwise, you have to give the client a way to find your public IP address. Use Dynamic DNS to make a public name (like myvpnserver.mydynamicdnsprovider.com) and then when you do client export, pick that name for Host Name Resolution.



  • @phil.davis:

    Does your pfSense WAN have a static public IP address? If so, then that should end up in the OpenVPN client config file and work (when doing client export, choosing Host Name Resolution = Interface IP Address
    But otherwise, you have to give the client a way to find your public IP address. Use Dynamic DNS to make a public name (like myvpnserver.mydynamicdnsprovider.com) and then when you do client export, pick that name for Host Name Resolution.

    yes it has a public IP.  i used the openvpn client export tool and my public IP was part of the file name.  i do have a dynamic name i'd like to use, i didn't see the option for that.  i assume i'd use that for the client on my phone to connect in (so it knows which firewall to connect to, but all it asked for was the config file, which i had on my phone.

    i assume i need to re-create the export file with my dynamic name, but i am not sure where to put that in, i will have to take a look.

    to confirm, yes, for the export it was set to interface IP Address

    thank you.



  • i did click to add and permit the firewall rules in the last step of the wizard.  is there something obvious that i forgot?

    Another thought - do you have other Firewall Rules on WAN. If so, then the pass rule for your incoming OpenVPN connections may end up after some other wider block rule, and thus packet filter gets to the block first and never matches the pass. Look at the WAN rules and move the OpenVPN pass rule up to or near the top.



  • @phil.davis:

    i did click to add and permit the firewall rules in the last step of the wizard.  is there something obvious that i forgot?

    Another thought - do you have other Firewall Rules on WAN. If so, then the pass rule for your incoming OpenVPN connections may end up after some other wider block rule, and thus packet filter gets to the block first and never matches the pass. Look at the WAN rules and move the OpenVPN pass rule up to or near the top.

    a few rules, but nothing that would interfere with openvpn.

    how about the dynamic name.  i need to change it so it isnt using my dynamic IP.  it doesnt change that often, but when it does, it will be an issue.

    thanks.



  • Sign up with a dynamic DNS provider (look in Services->Dynamic DNS, pretend to add one, look in the Service type dropdown for the list of supported ones).
    Choose a hostname that you like from what they offer. e.g. I use DynDNS.com and make names that end in dyndns-ip.com - I pay for DynDNS as I have a number of names to manage. I'm not sure if DynDNS still offers free accounts.
    Add an entry to Services->Dynamic DNS to monitor WAN and set that hostname…
    Then pfSense will keep that hostname up-to-date as your WAN IP changes.
    When you use OpenVPN Client Export, the dynamic DNS hostname will appear in the dropdown list.

    But I suspect you still have some other problem (unless it is just that your client conf now has an old public IP address in it).



  • @phil.davis:

    Sign up with a dynamic DNS provider (look in Services->Dynamic DNS, pretend to add one, look in the Service type dropdown for the list of supported ones).
    Choose a hostname that you like from what they offer. e.g. I use DynDNS.com and make names that end in dyndns-ip.com - I pay for DynDNS as I have a number of names to manage. I'm not sure if DynDNS still offers free accounts.
    Add an entry to Services->Dynamic DNS to monitor WAN and set that hostname…
    Then pfSense will keep that hostname up-to-date as your WAN IP changes.
    When you use OpenVPN Client Export, the dynamic DNS hostname will appear in the dropdown list.

    But I suspect you still have some other problem (unless it is just that your client conf now has an old public IP address in it).

    i already have a dynamic dns provider.  i have had one for about 15 years now.  i am using it in pfsense and i use it for many other things when i want to remote into my home network when i am not on site.

    the issue i am having is that the client/profile i exported displays my IP address and i never saw a spot to use/enter my dynamic DNS name.

    i still think there is another issue, but i am not sure what it could be, as this is the first time i have attempted to setup openVPN.  are there any guides you recommend i follow?  that way i'd be able to see if i missed a step, somewhere.

    thanks.



  • the issue i am having is that the client/profile i exported displays my IP address and i never saw a spot to use/enter my dynamic DNS name.

    The dynamic DNS names should be in the "Host Name Resolution" field drop-down list on the Client Export page.



  • @phil.davis:

    the issue i am having is that the client/profile i exported displays my IP address and i never saw a spot to use/enter my dynamic DNS name.

    The dynamic DNS names should be in the "Host Name Resolution" field drop-down list on the Client Export page.

    ohhh, i see them there, i just left it at the default option of 'interface IP address'

    i switched it to the dynamic dns host name but it still says waiting for server on the phone app.  there must be something in the config it doesnt like or i missed a setting (i did put the new config on my phone).


Log in to reply