OpenVPN Server behind PFSense (ping is possible, web access not)



  • Hi everybody,

    I am totally frustrated. I want to use a OpenVPN Server behind the PFSense and I think there is only one missing action that it works, but I can not solve the problem. I hope you can show me the missing piece in the puzzle.

    My Setup:

    • mobile clients (e.g. Ubuntu Notebook or IPhone) –> Internet --> PFSense --> Ubuntu (VPN-Server) AND Local Network

    • local Network is 192.168.0.5

    • on the PFSense I also use the OpenVPN Server and it is working perfectly. But I also want to use the VPN-Server behind the PFSense

    • OpenVPN from PFSense 10.8.0.0 - access via port 33334

    • OpenVPN from ubuntu Server 10.8.8.0 - access via port 1194

    Here are the settings:
    client.ovpn (from the ubuntu client)

    client
    dev tun
    proto udp
    remote 37.148.xx.xx (anonymized)
    port 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    verb 3
    comp-lzo
    
    inline ca...
    inline key...
    inline cert...
    
    

    server.conf - from the ubuntu openvpn server

    
    dev tun
    proto udp
    port 1194
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/ionas-server.crt
    key /etc/openvpn/easy-rsa/keys/ionas-server.key
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem
    user nobody
    group nogroup
    server 10.8.8.0 255.255.255.0
    persist-key
    persist-tun
    status /var/log/openvpn-status.log
    verb 4
    client-to-client
    push "route 192.168.5.0 255.255.255.0"
    log-append /var/log/openvpn
    comp-lzo
    keepalive 10 120
    client-config-dir /media/disk/openvpn/user-configs
    ccd-exclusive
    
    

    on the PFsense I did the following:

    1. I created a port forwarding from port 1194 to the lan-address of the openvpn-server: 192.168.5.43
    2. automatically there was a rule created in the WAN-Interface
      IPv4 TCP/UDP * * 192.168.5.43 1194 (OpenVPN) * none   NAT allow wlan

    The situation now:
    I can connect via openvpn to the openvpn server behind the pfsense. The output is

    
    Sat Aug  1 10:56:38 2015 ROUTE_GATEWAY 192.168.7.1/255.255.255.0 IFACE=wlan0 HWADDR=00:24:d7:9f:99:bc
    Sat Aug  1 10:56:38 2015 TUN/TAP device tun0 opened
    Sat Aug  1 10:56:38 2015 TUN/TAP TX queue length set to 100
    Sat Aug  1 10:56:38 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Aug  1 10:56:38 2015 /sbin/ip link set dev tun0 up mtu 1500
    Sat Aug  1 10:56:38 2015 /sbin/ip addr add dev tun0 local 10.8.8.10 peer 10.8.8.9
    Sat Aug  1 10:56:38 2015 /sbin/ip route add 192.168.5.0/24 via 10.8.8.9
    Sat Aug  1 10:56:38 2015 /sbin/ip route add 10.8.8.0/24 via 10.8.8.9
    Sat Aug  1 10:56:38 2015 Initialization Sequence Completed
    
    

    a route -n shows me on the client

    
    0.0.0.0         192.168.7.1     0.0.0.0         UG    0      0        0 wlan0
    10.8.8.0        10.8.8.9        255.255.255.0   UG    0      0        0 tun0
    10.8.8.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
    192.168.5.0     10.8.8.9        255.255.255.0   UG    0      0        0 tun0
    192.168.7.0     0.0.0.0         255.255.255.0   U     9      0        0 wlan0
    
    

    Hint: 192.168.7.1 is the network at home. 192.168.5.0 is the local network I want to connect to.

    Strange is that I can ping all devices in the network:

    • ping 192.168.5.1, ping 192.168.5.43, ping 192.168.5.10 all are possible.
    • but as soon as I want to access e.g. the webserver from 192.168.5.43 there is a network timeout.
    • I can not find anything in the logs of the firewall.

    Now my question is what can I do?

    • I have the felling, that the packages does not find their way back. So do I have to define a gateway? Is 192.168.5.43 the gateway or the wan interface?
    • is there a missing firewall rule?
    • do I need a static rule?
    • is the setting in advanced -> network -> bypass interface .. relevant?

    Thanks for your help.
    Best regards
    Christoph



  • ocal Network is 192.168.0.5

    I guess you really mean 192.168.5.0/24

    Devices in 192.168.5.0/24 probably have their default gateway set to pfSense LAN IP (192.168.5.1 ?)
    In that case when they try to reply to the client on OpenVPN Ubuntu they will send the reply packet to pfSense LAN IP. pfSense will not have a state for it and so will drop it. You will have asymmetric routing. There is an advanced button that helps with that (can't remember the name off the top of my head) out of state stuff. But youwould also need to add a route on pfSense thatsays 10.8.8.0/24 is reached by going to 192.168.5.43

    Or on each of the devices you wish to reach from the 10.8.8.0/24 tunnel, add a route to the device so it knows to use 192.168.5.43 for traffic to 10.8.8.0/24



  • Hi phil.davis,

    thanks for your response. the button is called "Bypass firewall rules for traffic on the same interface" and can be found on system -> advanced -> network. But unfortunately this is not working.

    I just want to summarize what you wrote:

    • I have notebook with the local ip: 192.168.7.200. It has also a public ip 91.xx.xx.xx.
    • it connects via the public ip of the pfsense 37.148.xx.xx with port 1194.
    • pfsense has a port forwarding rule for port 1194 and it passes the request to the ip: 192.168.5.43
    • on ip 192.168.5.43 is listening a openvpn server
    • the connection is authorized and the vpn-tunnel is created
    • the client receives the ip: 10.8.8.9 for the tunnel and receives the route: 192.168.5.0 255.255.255.0
    • so the client sends all the requests for e.g. 192.168.5.43 or 192.168.5.1 to the tun0.
    • the openvpn server receives the requests on 10.8.8.1 and passes the requests e.g. to 192.168.5.43.
    • 192.168.5.43 receives the https request and answers with the content of the webpage.

    – now i struggle a little bit.

    • shouldn't the answer go to the origin? That means 192.168.5.43 reqlies to 10.8.8.1 and 10.8.8.1 replies to 10.8.8.9?
    • of cause 192.168.5.43 receives via DHCP form the PFsense that the default gateway is 192.168.5.1
    • by the way the route on the openvpn server as soon as there is a connection is:
    
    Ziel            Router          Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0
    10.8.8.0        10.8.8.2        255.255.255.0   UG    0      0        0 tun0
    10.8.8.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
    192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    
    

    – I tried the following:

    • I created a gateway in the pfsense with name: openvpnbehindpfsense interface: LAN gateway: 192.168.5.43
    • and I created a rule on the lan that destination 10.8.8.0/24 has to use this gateway.
      IPv4 TCP/UDP * * 10.8.8.0/24 * openvpnbehindpfsense none 
      but this does not solve the problem.

    -- I have another point:

    • we have in our office two WANs. One with a static IP that is used for the openvpn access and one with a dynamic ip. Could that be the problem? that the relies are send to the second wan and not the first one?

    Thanks for your help.
    Best regards
    Christoph


  • LAYER 8 Netgate


  • LAYER 8 Netgate

    • I created a gateway in the pfsense with name: openvpnbehindpfsense      interface: LAN      gateway: 192.168.5.43
    • and I created a rule on the lan that destination 10.8.8.0/24 has to use this gateway.
      IPv4 TCP/UDP    *    *    10.8.8.0/24    *    openvpnbehindpfsense    none
      but this does not solve the problem.

    No.  That rule on LAN won't do it.

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    You want to delete that and go to System > Routing and create a route for 10.8.8.0/24 to gateway openvpnbehindpfsense.


  • LAYER 8 Netgate

    I see now.  A diagram would have made it instantly obvious.  :P

    The way you have it designed you either need to have a route in all your clients on 192.168.5.0/24 that tells them to reach 10.8.8.0/24 via 192.168.5.43 - probably not practical.

    Or you have to hairpin traffic into pfSense (the 192.168.5.0/24 default gateway) and back out the same interface - which is unsound design. As you're finding out, problems happen.

    A better way would be to put the Linux OpenVPN server on another subnet/pfSense interface. Then all the routing would be done by one router and you wouldn't be stuck trying to make an unsound design work.



  • Hi Derelict,

    thanks for your answer. I think you already told how to achieve the goal but I don't know how. Can you help me in more detail?

    1. I made a diagram of my setup. You find it at: https://www.ionas.com/external/openvpn_behind_pfsense.png

    2. I think an own interface for the openvpn behind the pfsense is the best way. So I tried to assign a new interface. I created a vlan 666 because vr0 (that is my lan) can not be choosen. Is that correct that I have to use a vlan?
      I took: static ipv4 and the ipv4 address is 10.8.8.1
      the ipv4 upstream gateway is my previously created gateway 10.8.8.1

    3. I created a firewall rule for the new interface. It allowes everything and as gateway I took the gateway 10.8.8.1

    Is that correct? Can you tell me how you would do it?

    Best regards
    Christoph



  • Hi everybody,

    I tried again last night to put the openvpn connection to a server in the lan to an own interface. I didn't reached my goal.
    Can anybody tell me how to do it?

    My main problem is to decide with "network port" I have to select on the page "assign Interfaces". Do I have to choose the vr0 (which is my lan) or do I have to create a VLAN?
    Thanks in advance for any hint.

    Best regards
    Christoph



  • Hi everybody,

    I am still struggling with a openvpn server behind pfsense. Can anybody give me a hint what to do?
    Derelict writes that it would be best to assign an own interface to the server. I tried to do this but what network port do I have to use for this new interface? I have no more real lan port and a virtual one has to be assigned to vr0 = lan or vr2 = dsl line or something virtual…

    I am looking forward to your help.
    Best regards
    Christoph


  • LAYER 8 Global Moderator

    Running a vpn server inside the network is at best a problematic setup.  Why not just run openvpn on pfsense itself?

    You run into routing problems when vpn tunnel endpoint is just some IP in the lan network.  As mentioned already you either need routes on all your hosts that your vpn clients would want to talk, and or you would have to hairpin a connection off pfsense which the the gateway for your lan machines off that network.

    what is your reasoning for running vpn server behind pfsense and not on pfsense?  Your really just making something that is clickity clickity to get up an running into a configuration mess.



  • I use OpenVPN on pfSense for all my remote connections.  Works like a charm and easy to configure.



  • Running a vpn server inside the network is at best a problematic setup.

    OpenVPN servers behind firewalls can work with a port forwarding and a static route so there is no rocket science involved.

    One scenario (that requires OpenVPN server(s) BEHIND pfSense) is when there are multiple OpenVPN servers behind the firewall/pfSense. E.g. for penetration/version or testing and/or high availability.

    It would really help me (and Christoph) if there is some pfSense configuration/setting available who supports this configuration.

    Thanks, regards,

    Beau


Log in to reply