I cant use openVPN behind my pfsense fw, but behind other fw's.

fableman

Hi

My setup:

At home a pfsense fw with openVPN

At work a pfsense fw. (not working)

At anywhere using 4G router NAT (working)

I can't get the OpenVPN client to connect to my home when I am behind the pfsense fw at work (nothing showup as blocked under firewall logs)
(openvpn logs at Home only show: Inactivity time out)

Works perfect behind the 4G router, or directly connected to external IP

But when I try behind the pfsence at work It cant connect and times out, the openVPN client logs show:

UDPv4 link remote: [AF_INET]x.x.x.x (my ip)    (hangs here for 1 min)
TLS Error: TLS key negoation fails…...
TLS Error: TLS handshake failed

Any idees ?

openVPN client --->pfsense (work)---->internet---->pfsense (home)            = not working

openVPN client --->4G router with NAT ---->internet---->pfsense (home)    = working

chpalmer

Do you have access to the pfsense box at "work"?  Are you the IT guy for your business?

Does that box have a public IP address on its WAN interface?  Is it behind another router/firewall device?

fableman

yes I setup both of them, at my home and at work.

Yes public IP on both fw's.

Internet–--pfsense---switch----client

client got full access from interface to internet.

viragomann

Do you use equal client config files at work and at the other place where it's working?

Recheck if the settings are the same, especially the setting for port and protocol and all auth-settings. If you use TLS authentication recheck that the TLS-key file behind "tls_auth" is followed by " 1".

If you use UDP protocol check if your outgoing rule is allowing this.

fableman

I use the same laptop with the same client.

The rule I have is any protocol to any on the pfsense fw at work. (I can do everything)

But it's like it's ignoring all my UDP traffic .

I captured the traffic on the pfsense at work, nothing show up at with a destination to my home IP address.

This is all very strange.

Guest

Potential workaround: Let the pfSense do the tunnel for you?

fableman

I dont what a permanent tunnel into my home from work :)

chpalmer

@fableman:

I captured the traffic on the pfsense at work, nothing show up at with a destination to my home IP address.

That makes me think that the guilty party is the laptop.  Maybe a statically set gateway in the VPN client program?

fableman

No static gateway, laptop work nice with anything not just behind the pfsense with openvpn.

openvpn works behind anything else i tested, and I have lots of things to test with..

Its like pfsense blocking the the vpn traffic without showing it.

Guest

Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :)

mikeisfly

Also are you using DNS? Maybe that is the guilty party, especially if you aren't seeing anything on the other side.

fableman

@chemlud:

Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :)

You got me on the right track,, thanks.

No I dont have snort on the fw….but...

I hade a D-link switched called DGS-1210-16 with a Security option enabled.

The switch itself can protect from:

Land Attack
Blat Attack
TCP Null Scan
TCP Xmascan
TCP SYNFIN
TCP SYN Src Port Less 1024
Ping Death Attack
TCP Tiny Frag Attack

And the problem was the Blat Attack rule, if I disabled it on the Switch then the OpenVPN connection worked perfect.

Thanks to all that tried to help.