Firewall issue with OpenVPN



  • I'm having a tiny problem.

    I did the wizard and got everything up and it created the rules, so I tried from my android phone using a .ovpn profile generated from the client export package.
    But it can't connect.
    Did a port scan, 1194 not responding, tried different port 34447 and edited the firewall rules. Still not responding.
    Taking a look at my firewall logs I can see the packets but it's going to a video phone on the dmz which has 1:1 NAT firewall rule, which then pfsense blocks.

    So how can I get 1194/34447 to come to the wan interface instead of going down the 1:1 nat device?



  • It's possible to natting OVPN also. So you can try to set a NAT rule for OVPN port directing it to LAN address and set the OVPN server listen on LAN.

    If that doesn't work drop your 1:1 NAT and set port forwarding rules instead.



  • Getting rid of 1:1 Nat is not an option, these devices from sorenson use random inbound ports for some weird reason, even with all the documented ports being open, incoming video feeds were blocked by pfsense, I had to do it a different way in 1.2.3 and when 2.1 came with 1:1 it was a god send.

    But your solution to change the opvn to lan side worked.
    I deleted all the rules for opvn and set a nat rule.
    Now I want to make sure I didn't expose my network or the firewall itself accidentally, so just to confirm in firewall rules.

    Lan tab (automatically created by the opvn wizard.)

    
    Proto 	Source 	Port 	Destination 	Port 	Gateway
    IPv4  	  * 	  * 	LAN address 	34447 	*
    UDP 
    
    

    Wan Tab (created by the nat rule)

    
    IPv4 	* 	* 	192.168.0.1 	34447 	*
    UDP  
    
    

    NAT Port Forward.

    
    If 	       Proto 	Src. addr 	Src. ports 	Dest. addr 	Dest. ports 	NAT IP 	NAT Ports 	
    WAN 	       UDP      *                  * 	      WAN address 	34447 	   192.168.0.1 	34447
    
    

    Is this correct?

    Any adjustment I need to make?



  • That would be okay.

    The only port forwarded to you LAN side is 34447 and here is your OpenVPN server listening and handles incoming packets.

    However, if you are in doubt about route VPN to LAN you may take any other interface. With DMZ it would work just as well.



  • wunderbar!

    Yeah, I have a few other rules but they were created from NAT, and DMZ rules were created by me guided by the pfsense community.
    The only rules in Lan tab is the anti-lockout rule and the default Lan rule.

    Now all I have to do is update pfsense to 2.1.2 tonight and hopefully no surprises.

    Thank you so much.


Log in to reply