Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I cant use openVPN behind my pfsense fw, but behind other fw's.

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 5 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fableman
      last edited by

      Hi

      My setup:

      At home a pfsense fw with openVPN

      At work a pfsense fw. (not working)

      At anywhere using 4G router NAT (working)

      I can't get the OpenVPN client to connect to my home when I am behind the pfsense fw at work (nothing showup as blocked under firewall logs)
      (openvpn logs at Home only show: Inactivity time out)

      Works perfect behind the 4G router, or directly connected to external IP

      But when I try behind the pfsence at work It cant connect and times out, the openVPN client logs show:

      UDPv4 link remote: [AF_INET]x.x.x.x (my ip)    (hangs here for 1 min)
      TLS Error: TLS key negoation fails…...
      TLS Error: TLS handshake failed

      Any idees ?

      openVPN client --->pfsense (work)---->internet---->pfsense (home)            = not working

      openVPN client --->4G router with NAT ---->internet---->pfsense (home)    = working

      Most speed test sites got problems with 1/1Gbit FTTH

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        Do you have access to the pfsense box at "work"?  Are you the IT guy for your business?

        Does that box have a public IP address on its WAN interface?  Is it behind another router/firewall device?

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • F
          fableman
          last edited by

          yes I setup both of them, at my home and at work.

          Yes public IP on both fw's.

          Internet–--pfsense---switch----client

          client got full access from interface to internet.

          Most speed test sites got problems with 1/1Gbit FTTH

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Do you use equal client config files at work and at the other place where it's working?

            Recheck if the settings are the same, especially the setting for port and protocol and all auth-settings. If you use TLS authentication recheck that the TLS-key file behind "tls_auth" is followed by " 1".

            If you use UDP protocol check if your outgoing rule is allowing this.

            1 Reply Last reply Reply Quote 0
            • F
              fableman
              last edited by

              I use the same laptop with the same client.

              The rule I have is any protocol to any on the pfsense fw at work. (I can do everything)

              But it's like it's ignoring all my UDP traffic .

              I captured the traffic on the pfsense at work, nothing show up at with a destination to my home IP address.

              This is all very strange.

              Most speed test sites got problems with 1/1Gbit FTTH

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                Potential workaround: Let the pfSense do the tunnel for you?

                1 Reply Last reply Reply Quote 0
                • F
                  fableman
                  last edited by

                  I dont what a permanent tunnel into my home from work :)

                  Most speed test sites got problems with 1/1Gbit FTTH

                  1 Reply Last reply Reply Quote 0
                  • chpalmerC
                    chpalmer
                    last edited by

                    @fableman:

                    I captured the traffic on the pfsense at work, nothing show up at with a destination to my home IP address.

                    That makes me think that the guilty party is the laptop.  Maybe a statically set gateway in the VPN client program?

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • F
                      fableman
                      last edited by

                      No static gateway, laptop work nice with anything not just behind the pfsense with openvpn.

                      openvpn works behind anything else i tested, and I have lots of things to test with..

                      Its like pfsense blocking the the vpn traffic without showing it.

                      Most speed test sites got problems with 1/1Gbit FTTH

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :)

                        1 Reply Last reply Reply Quote 0
                        • M
                          mikeisfly
                          last edited by

                          Also are you using DNS? Maybe that is the guilty party, especially if you aren't seeing anything on the other side.

                          1 Reply Last reply Reply Quote 0
                          • F
                            fableman
                            last edited by

                            @chemlud:

                            Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :)

                            You got me on the right track,, thanks.

                            No I dont have snort on the fw….but...

                            I hade a D-link switched called DGS-1210-16 with a Security option enabled.

                            The switch itself can protect from:

                            Land Attack
                            Blat Attack
                            TCP Null Scan
                            TCP Xmascan
                            TCP SYNFIN
                            TCP SYN Src Port Less 1024
                            Ping Death Attack
                            TCP Tiny Frag Attack

                            And the problem was the Blat Attack rule, if I disabled it on the Switch then the OpenVPN connection worked perfect.

                            Thanks to all that tried to help.

                            Most speed test sites got problems with 1/1Gbit FTTH

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.