I cant use openVPN behind my pfsense fw, but behind other fw's.



  • Hi

    My setup:

    At home a pfsense fw with openVPN

    At work a pfsense fw. (not working)

    At anywhere using 4G router NAT (working)

    I can't get the OpenVPN client to connect to my home when I am behind the pfsense fw at work (nothing showup as blocked under firewall logs)
    (openvpn logs at Home only show: Inactivity time out)

    Works perfect behind the 4G router, or directly connected to external IP

    But when I try behind the pfsence at work It cant connect and times out, the openVPN client logs show:

    UDPv4 link remote: [AF_INET]x.x.x.x (my ip)    (hangs here for 1 min)
    TLS Error: TLS key negoation fails…...
    TLS Error: TLS handshake failed

    Any idees ?

    openVPN client --->pfsense (work)---->internet---->pfsense (home)            = not working

    openVPN client --->4G router with NAT ---->internet---->pfsense (home)    = working



  • Do you have access to the pfsense box at "work"?  Are you the IT guy for your business?

    Does that box have a public IP address on its WAN interface?  Is it behind another router/firewall device?



  • yes I setup both of them, at my home and at work.

    Yes public IP on both fw's.

    Internet–--pfsense---switch----client

    client got full access from interface to internet.



  • Do you use equal client config files at work and at the other place where it's working?

    Recheck if the settings are the same, especially the setting for port and protocol and all auth-settings. If you use TLS authentication recheck that the TLS-key file behind "tls_auth" is followed by " 1".

    If you use UDP protocol check if your outgoing rule is allowing this.



  • I use the same laptop with the same client.

    The rule I have is any protocol to any on the pfsense fw at work. (I can do everything)

    But it's like it's ignoring all my UDP traffic .

    I captured the traffic on the pfsense at work, nothing show up at with a destination to my home IP address.

    This is all very strange.



  • Potential workaround: Let the pfSense do the tunnel for you?



  • I dont what a permanent tunnel into my home from work :)



  • @fableman:

    I captured the traffic on the pfsense at work, nothing show up at with a destination to my home IP address.

    That makes me think that the guilty party is the laptop.  Maybe a statically set gateway in the VPN client program?



  • No static gateway, laptop work nice with anything not just behind the pfsense with openvpn.

    openvpn works behind anything else i tested, and I have lots of things to test with..

    Its like pfsense blocking the the vpn traffic without showing it.



  • Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :)



  • Also are you using DNS? Maybe that is the guilty party, especially if you aren't seeing anything on the other side.



  • @chemlud:

    Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :)

    You got me on the right track,, thanks.

    No I dont have snort on the fw….but...

    I hade a D-link switched called DGS-1210-16 with a Security option enabled.

    The switch itself can protect from:

    Land Attack
    Blat Attack
    TCP Null Scan
    TCP Xmascan
    TCP SYNFIN
    TCP SYN Src Port Less 1024
    Ping Death Attack
    TCP Tiny Frag Attack

    And the problem was the Blat Attack rule, if I disabled it on the Switch then the OpenVPN connection worked perfect.

    Thanks to all that tried to help.


Log in to reply