Connect to OpenVPN Access Server?



  • Has anyone here been able to get pfSense to connect to an OpenVPN Access Server and actually pass any traffic?  I've managed to enter the data from the config file into the pfSense UI, and it connects successfully, but any devices I try end up with no connectivity.  Using the OpenVPN Connect app on my desktop or phone with the same config works great.

    I've set this up the same as any other OpenVPN provider.

    • Setup the CA and Client certs

    • Enter all the info into the OpenVPN Client screen

    • Create a new interface with IPv4 set to None

    • Add the gateway for the VPN interface to a rule on the LAN interface

    If I run a traceroute from the pfSense UI on the VPN interface it correctly goes out the tunnel.

    What am I missing here?



  • Did you enable manual out bound NAT and add a rule to NAT on the way out of the VPN interface?



  • … No I did not.  Thanks.  Rookie mistake.


  • LAYER 8 Global Moderator

    What information did you use to connection - I was never able to get this to work.



  • @johnpoz:

    What information did you use to connection - I was never able to get this to work.

    • Log in to the client section of OpenVPN-AS as the user you want to use and download the "Yourself (autologin profile)" file.  If you don't have this, log into the admin panel and enable autologin for the user.

    • Open up client.ovpn in notepad or similar.

    • Copy the contents of the <ca></ca>block into a new CA cert in pfSense.

    • Copy the contents of the & blocks into a new cert in pfSense.

    • Create a new OpenVPN Client.

    • Fill out the server and & port as appropriate.

    • Uncheck "Automatically generate a shared TLS key" and copy the contents of the <tls-auth></tls-auth>block into the box that appears.

    • Pick the CA & Cert you created in steps 3 & 4.

    • Set the encryption algorithm to whatever you're using in OpenVPN-AS.  The default is BF-CBC unless you changed it.

    • Check the box for Compression if you enabled it in OpenVPN-AS.

    • Save the OpenVPN Client connection and verify that the tunnel comes up.

    • Create a new interface and assign the VPN tunnel to it.

    • Edit the interface, enable it, and make sure that None is set for IPv4 Configuration Type.

    • Add an outbound NAT rule for your new interface.

    • Assign the new gateway to whatever firewall rules you want to force through the VPN tunnel.


  • LAYER 8 Global Moderator

    Dude sweet!!

    This is where I was having a brainfart ;)

    4. Copy the contents of the & blocks into a new cert in pfSense.

    I was only putting in the .. I will be testing this tonight and then doing a guide for the docs!!  Thanks!!!


  • LAYER 8 Global Moderator

    Sweet bing bang zoom and routing traffic through the vpn.. But kind of eye sore is that its creating a VPNV6 Gateway

    I have no desire to route any sort of ipv6 traffic via this vpn connection.  On the interface its set for none on ipv6, do you happen to know how to get it not to create this gateway??




  • No, I have no idea how to get rid of it. I've got a bunch of those on my systems.



  • I am having issues connecting to my OpenVPN-AS

    I did follow instructions, however it's not working for me, and i am unsure what i am doing wrong.

    Error logs shows this:

    Nov 8 14:41:24 openvpn[79484]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
    Nov 8 14:41:24 openvpn[79484]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Nov 8 14:41:24 openvpn[79484]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Nov 8 14:41:24 openvpn[79484]: WARNING: using –pull/--client and --ifconfig together is probably not what you want

    Please advise,
    damir


  • LAYER 8 Global Moderator

    And without you posting your configuration, either would we ;) Nor even the full log..

    So I just fired this up per the instructions in this page, I really should finish that guide I started..  Click click…  I tell it not to pull the routes for my testing of this, and if your going to want to do policy based routing, etc.  no reason to pull that you default route, etc..




  • I apologize, you are right.

    I will get more details tonight - screenshots from both OpenVPN AS and pFsense's OpenVPN Client section.

    Big thanks for responding and i apologize again!

    P.s.
    Thanks for screenshot.



  • Configuration / Logs:

    OpenVPN-AS Ports settings:

    Please advise.

    Big thanks!


  • LAYER 8 Global Moderator

    See where you have no compress preference.. But most likely as server is doing compression, see the warning.. That will cause issue..  Set the drop down to do compression like mine enabled with adaptive



  • where exactly should i check if compression is enabled on opevnpn-as?

    thanks for support


  • LAYER 8 Global Moderator

    it is see your warning… I would have to log into one of mine and look to where/if you can turn it off.






  • Thank you!

    That worked, it connected to OpenVPN-AS.

    Would you mind if i ask another question - i am trying to accomplish something and i am not 100% it can be accomplished / done.

    Big thanks again!


  • LAYER 8 Global Moderator

    Sure ask away..



  • Thank you!

    I have 4 PC's , 2 Laptop's , 2 Smart TV's in my  "home network".

    I have Wi-Fi R7000 Router in AP mode.

    I would like to have only 2 Smart TV's using OpenVPN's AS IP (so, 2 local IPs - i already have those IPs assigned as Static IPs in pfSense).

    Is this possible? Would you mind helping with this?

    Big thanks,
    damir


  • LAYER 8 Global Moderator

    Sure this is a simple policy route.. Assign your vpn connection to an interface.  Set this up as gateway, then create a rule in your lan that says hey if this IP or IPs going anywhere go out the vpn connection.

    I am about ready to leave work, and much easier to setup and show screen shots when home vs remote..  Will post some screen shots how to do when I get home.



  • Big thanks! man, big big thanks!

    sorry for bothering you so much, and thank you a lot!


  • LAYER 8 Global Moderator

    Ok here you go..  So make you assign your vpnclient to an interface - don't give it an IP, then create a gateway using that interface (do not set it default).  You can disable the _v6 interface it creates.

    Make sure you have a nat to this interface in your outbound nats to your network range.

    Then create a rule that says hey your source IP or IPs when NOT going to your local networks.. That is what the ! is in the rule and I use an alias that has my local networks in it and tell it to use the gateway.. Now when that source IP or IPs is going to anything other than your local networks that rule will trigger and send that traffic down your vpn client tunnel.  See attached images - so my normal workstation has my normal 24. IP on public - but when I use a vm that is 192.168.9.230 it goes down the tunnel.

    Make sure you devices you want to go down the tunnel use the dns you want to use and you should be set.  Also you might want to make sure you don't get any routes from the vpn client connection, see my above post showing my client config - see how I have checked block routes checked..  You don't want pfsense getting routes you may not want.. you just want to send the traffic down the tunnel based on your policy.  Quite often openvpnas is set to default route.. So pfsense could get a default route pointing down the tunnel, etc..












  • Big thanks!

    I am having issues figuring out how to set getway for firewall rule on specific IP

    I go to:
    https://192.168.1.1/firewall_rules.php?if=lan

    it looks like:

    when i go to edit it, it looks like:

    i think i am on correct page?

    sorry for bothering you so much with this.

    thanks


  • LAYER 8 Global Moderator

    Yeah that looks like firewall rule page.. And you need to move this rule above the default rules..  Where are all your advanced settings??  You set the gateway in the advanced section




  • i am completely dumb.  :o

    I "think" i did everything as you said, and i rebooted pfSense right now.

    The output was, every single device was receiving OpenVPN's IP  :-\

    Here is the full setup:

    Interface setup:

    Firewall Outbound:

    Firewall Rules:

    What am i missing?

    Thanks


  • LAYER 8 Netgate

    No idea what you expect to happen with ! any as a destination.

    Some VPN providers push a default gateway. You have to check don't pull routes in the client config to have policy routing control on the client side.


  • LAYER 8 Global Moderator

    well !* is not valid.. You need t create a alias for your local networks, or at min use ! lan net..  So where were your advanced settings in the previous post.. Seems you have gateway set now.  And you prob don't want that rule only tcp… How are you going to do dns for example which is udp through that link?

    Did you block getting routes from from the vpn client.. It can over write you default route and send everything through that tunnel..




  • Yes, i did set that option.

    Alias:

    Firewall now:

    Advanced:


  • LAYER 8 Global Moderator

    Yeah that looks fine, did you tell your vpn client setting not to pull the routes like I posted twice now and derelict even mentioned ;)

    And you still only have tcp, do you not want icmp or udp to go down the tunnel.. Most the time that rule for sending traffic down a tunnel will be any vs just tcp.



  • sorry, only 2 hours sleep tired / sleepy :)

    yes i did, in OpenVPN Client, it looks exactly the same as yours in the screenshot:

    What about this (Interface), anything should be done here, or leave as it is ? (unchecked)

    Also, figured out to change firewall to * instead of TCP only.

    All looks fine now?

    Big thanks for help :)


  • LAYER 8 Global Moderator

    Dude change it to ANY…  so you can use any protocol over the tunnel not just tcp.. More than likely if your wanting to use something like netflix your going to want to make sure its dns used through the tunnel as well..

    So is it working now?



  • sorry, while you were typing this post, i was editing above post :/



  • @johnpoz:

    So is it working now?

    yes, its working, 2 devices are now going over openvpn, thanks to you.

    not sure how to check dns thing, but, when i played a movie on netflix, i monitored the traffic on vps and it was definitely going over openvpn.

    [root@my ~]# vnstat -l
    Monitoring eth0…    (press CTRL-C to stop)

    rx:    1.53 Mbit/s  138 p/s          tx:    1.66 Mbit/s  217 p/s^C

    eth0  /  traffic statistics

    rx        |      tx
    --------------------------------------+------------------
      bytes                  496.06 MiB  |      531.18 MiB
    --------------------------------------+------------------
              max          49.60 Mbit/s  |    53.08 Mbit/s



  • When you get a chance, if you please can tell me if i need this checked or leave it unchecked:

    I promise after this, i will stop bothering you  :-X

    I appreciate your help.


  • LAYER 8 Global Moderator

    What is your client using for dns??  The one you want to go over the vpn, you said you set a static on it..  Smart TVs and such and with apps like netflix, etc. could be hard coded to use say googledns..  If so you would want that going down the tunnel because you would want it doing a dns query from the location of the vpn exit point.

    Just change your rule on your policy route to be ANY vs tcp for the protocol and your good any traffic that is from that IP that is not too your lan would go down the tunnel.  Only issue would be if the client was using your local dns.. So you might want to change it to use some public dns that goes down the tunnel or you could get geo returned IPs that could cause problems.. Lets say for example your in the the EU, and your vpn exit point is in the US..  If your using your local dns, you could get told to go to site in EU based upon where you source dns query came from..  So now your traffic goes down the tunnel to US just to go back to some IP in the EU.

    As to blocking rfc1918 and bogon - no on your vpn interface there would be no need or want to block those.. So leave them unchecked is fine.



  • In my pfSense i have Static DHCP enabled (my MAC) for all devices i have @ Home.
    Each device gets a static IP.

    Devices / PC's , etc are set to AUTO for IP's / DNS.

    pfSense is set to use Google DNS.
    8.8.8.8
    8.8.4.4

    VPS with OpenVPN on it is also set to Google DNS:

    [root@my ~]# cat /etc/resolv.conf
    nameserver 8.8.8.8
    nameserver 8.8.4.4

    so, i believe this looks good?

    What i don't understand is, on one of the PC's that is connected to my kid's TV (which is also used for Netflix) , when i do tracert to any IP, it the output / path is not going over openvpn's network, its going through my ISPs.
    When i go to "whats my IP on google / and check multiple websites " it shows / reports IP of the openvpn.

    I used to have OpenVPN's client installed on that Windows, and tracert's output / path was going over the OpenVPN.
    Why is this?

    (And still, Netflix, downloads, etc, go through openvpn's network, as i am still monitoring the eth0 with vnstat)

    Thanks



  • Actually, nevermind about that tracert part, after i changed to ANY from TCP, its going over OpenVPN's network  :o



  • Also, i am like 99% sure Netflix is showing US stuff

    If i go to : http://api-global.netflix.com/apps/applefuji/config

    And look for <geolocation></geolocation>it shows US for me;

    <geolocation>US</geolocation>

    There is still that 1%, but, not sure if there is any other way to check :)



  • I just checked logs in pfSense for OpenVPN, and noticed this:

    Nov 10 12:21:51 openvpn[21245]: write UDPv4: No buffer space available (code=55)
    Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
    Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
    Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
    Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
    Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
    Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)

    Also, when i SSH to VPS, it doesn't show my WAN IP any more, but, Local IP from OpenVPN;

    root    pts/0    172.27.232.2    12:24    0.00s  0.00s  0.00s w

    When i do tracert to IP of VPS, it outputs like this:

    1    <1 ms    <1 ms    <1 ms  pfSense.home.network [192.168.1.1]
      2    26 ms    25 ms    25 ms  168.** (Full IP of VPS)

    Also, i am unable to connect to TeamSpeak 3 server hosted on the same VPS.

    This is done from my PC, and for this PC there are no rules (firewall) in pfSense.

    Googling my IP shows my WAN (ISP's) IP.

    Probably i messed up something else?:)

    Thanks


  • LAYER 8 Global Moderator

    your buffers error prob could be a routing issue.. See this pfsense forum

    https://forum.pfsense.org/index.php?topic=40405.msg208614#msg208614

    https://airvpn.org/topic/11486-error-in-openvpn-logs-on-pfsense/

    If you want me to help you really need to show the FULL logs, not just the piece that you think matters..  There is most likely something else in the log that will point to why the error happens.. Like for example with your compression setting in the previous posting..

    If your pulling the routes from the vpn client connection its going to cause problems if it hands pfsense a default route down the tunnel, etc..



  • sorry  :'(

    i just cleared logs of opevpn, and reboot-ed pfSense

    current logs show this:

    at this time, still (for about 10 minutes now, there are no buffer errors logs)

    As soon as they show (if) i will post another log image (full logs this time  :) )

    anything that can be done to "fix" the routing issues, so, my VPS doesn't see this PC in "local" (if i saying this correctly), so, i can still use it as i used it for other services before connecting pfSense to OpenVPN-AS hosted on that VPS.

    Thanks


Log in to reply