[SOLVED] AirVPN (OpenVPN) port forwarding
-
Hi there,
I am moving my OpenVPN client to my pfsense box, instead of just running it on one box. I have gotten everything setup such that a few machines on my internal LAN route all their traffic through the ovpnc2 interface.
I am having trouble with the port forwarding. I have done the searches and tried everything that comes up. Here is the problem.
I created a Port forward on my AIRVPN adapter, to forward port 39992 to an internal machine 192.168.1.1 port 39992.
rdr on ovpnc2 proto { tcp udp } from any to 10.4.0.46 port 39992 -> 192.168.1.1 pass in log quick on $AIRVPN reply-to ( ovpnc2 10.4.0.46 ) inet proto { tcp udp } from any to any port 39992 tracker 1434123059 keep state label "USER_RULE"
I dont think I need to set anything else. 192.168.1.1 is using the AIRVPN_GW through an outbound NAT rule that takes traffic from that and sends it the right gateway. I also have a FW rule on my LAN interface to do a policy based route to get traffic 192.168.1.1 changed to the AIRVPN_GW.
This used to work when using the openvpn client directly on the machine. Just tried this again, so the airvpn/vpn provider is sending the packets to the vpn end point. 10.4.0.46.
Any ideas as to where I can start looking to debug? Packet capture on AIRVPN doesn't show any inbound traffic, neither do the firewall logs.
-
If I goto canyouseeme.org and run a test for that port, and I did a packet capture. I see some stuff in there, dont know if this helps anyone debug.
13:57:19.941207 IP (tos 0x0, ttl 44, id 55254, offset 0, flags [DF], proto TCP (6), length 60) 107.20.89.142.43201 > 10.4.0.46.39992: Flags [s], cksum 0x848a (correct), seq 645280310, win 14600, options [mss 1352,sackOK,TS val 1603200480 ecr 0,nop,wscale 5], length 0 13:57:20.937419 IP (tos 0x0, ttl 44, id 55255, offset 0, flags [DF], proto TCP (6), length 60) 107.20.89.142.43201 > 10.4.0.46.39992: Flags [s], cksum 0x8390 (correct), seq 645280310, win 14600, options [mss 1352,sackOK,TS val 1603200730 ecr 0,nop,wscale 5], length 0 13:57:22.941556 IP (tos 0x0, ttl 44, id 55256, offset 0, flags [DF], proto TCP (6), length 60) 107.20.89.142.43201 > 10.4.0.46.39992: Flags [s], cksum 0x819b (correct), seq 645280310, win 14600, options [mss 1352,sackOK,TS val 1603201231 ecr 0,nop,wscale 5], length 0 13:57:26.945840 IP (tos 0x0, ttl 44, id 55257, offset 0, flags [DF], proto TCP (6), length 60) 107.20.89.142.43201 > 10.4.0.46.39992: Flags [s], cksum 0x7db2 (correct), seq 645280310, win 14600, options [mss 1352,sackOK,TS val 1603202232 ecr 0,nop,wscale 5], length 0 13:57:29.526552 IP (tos 0x0, ttl 44, id 47798, offset 0, flags [DF], proto TCP (6), length 60) 107.20.89.142.43219 > 10.4.0.46.39992: Flags [s], cksum 0x7b5c (correct), seq 48387466, win 14600, options [mss 1352,sackOK,TS val 1603202876 ecr 0,nop,wscale 5], length 0 13:57:30.524343 IP (tos 0x0, ttl 44, id 47799, offset 0, flags [DF], proto TCP (6), length 60) 107.20.89.142.43219 > 10.4.0.46.39992: Flags [s], cksum 0x7a62 (correct), seq 48387466, win 14600, options [mss 1352,sackOK,TS val 1603203126 ecr 0,nop,wscale 5], length 0 13:57:32.528403 IP (tos 0x0, ttl 44, id 47800, offset 0, flags [DF], proto TCP (6), length 60) 107.20.89.142.43219 > 10.4.0.46.39992: Flags [s], cksum 0x786d (correct), seq 48387466, win 14600, options [mss 1352,sackOK,TS val 1603203627 ecr 0,nop,wscale 5], length 0 13:57:36.532558 IP (tos 0x0, ttl 44, id 47801, offset 0, flags [DF], proto TCP (6), length 60) 107.20.89.142.43219 > 10.4.0.46.39992: Flags [s], cksum 0x7484 (correct), seq 48387466, win 14600, options [mss 1352,sackOK,TS val 1603204628 ecr 0,nop,wscale 5], length 0 [/s][/s][/s][/s][/s][/s][/s][/s]
-
It's getting to you, and your rules are correct (assuming no block rules above the pass rule you showed). Filter under Diag>States for 192.168.1.1:39992. Does it show up, and if so, what is its state shown in the right column?
-
Does this help?
AIRVPN tcp 192.168.1.1:39992 (10.4.0.46:39992) <- 107.20.89.142:47120 SYN_SENT:ESTABLISHED HOMEVLAN tcp 107.20.89.142:47120 -> 192.168.1.1:39992 ESTABLISHED:SYN_SENT
looks like its trying to bring it up, but the service there isn't responding? (which it is, because i can telnet/nmap to it from the pfsense box fine)
-
did a wireshark capture on client running the service 192.168.1.1 for tcp.port=39992 and All I see are TCP Retransmissions, looks like the responses aren't getting sent by the pfsense back to correct interface.
also the rules that you mentioned are the only ones and so are right at the top of for the AIRVPN interface.
also should add from that box I am able to use the AIRVPN gateway and ping/get to other hosts no problem.
-
Okay sorted it out.. wow.
I think this is what helped me. https://forum.pfsense.org/index.php?topic=57970.0.
I am running a OpenVPN Server as well as Client, and the OpenVPN wizard adds a rule. This rule matches $OpenVPN ( not sure what that device actually is), and it matches the packet. the problem is that the rule with the reply-to isn't in there.
So I had to edit the wizard created to rule to match the $OpenVPN network.