Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Server behind PFSense (ping is possible, web access not)

    Scheduled Pinned Locked Moved NAT
    12 Posts 6 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      phil.davis
      last edited by

      ocal Network is 192.168.0.5

      I guess you really mean 192.168.5.0/24

      Devices in 192.168.5.0/24 probably have their default gateway set to pfSense LAN IP (192.168.5.1 ?)
      In that case when they try to reply to the client on OpenVPN Ubuntu they will send the reply packet to pfSense LAN IP. pfSense will not have a state for it and so will drop it. You will have asymmetric routing. There is an advanced button that helps with that (can't remember the name off the top of my head) out of state stuff. But youwould also need to add a route on pfSense thatsays 10.8.8.0/24 is reached by going to 192.168.5.43

      Or on each of the devices you wish to reach from the 10.8.8.0/24 tunnel, add a route to the device so it knows to use 192.168.5.43 for traffic to 10.8.8.0/24

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • C Offline
        christophdb
        last edited by

        Hi phil.davis,

        thanks for your response. the button is called "Bypass firewall rules for traffic on the same interface" and can be found on system -> advanced -> network. But unfortunately this is not working.

        I just want to summarize what you wrote:

        • I have notebook with the local ip: 192.168.7.200. It has also a public ip 91.xx.xx.xx.
        • it connects via the public ip of the pfsense 37.148.xx.xx with port 1194.
        • pfsense has a port forwarding rule for port 1194 and it passes the request to the ip: 192.168.5.43
        • on ip 192.168.5.43 is listening a openvpn server
        • the connection is authorized and the vpn-tunnel is created
        • the client receives the ip: 10.8.8.9 for the tunnel and receives the route: 192.168.5.0 255.255.255.0
        • so the client sends all the requests for e.g. 192.168.5.43 or 192.168.5.1 to the tun0.
        • the openvpn server receives the requests on 10.8.8.1 and passes the requests e.g. to 192.168.5.43.
        • 192.168.5.43 receives the https request and answers with the content of the webpage.

        – now i struggle a little bit.

        • shouldn't the answer go to the origin? That means 192.168.5.43 reqlies to 10.8.8.1 and 10.8.8.1 replies to 10.8.8.9?
        • of cause 192.168.5.43 receives via DHCP form the PFsense that the default gateway is 192.168.5.1
        • by the way the route on the openvpn server as soon as there is a connection is:
        
        Ziel            Router          Genmask         Flags Metric Ref    Use Iface
        0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0
        10.8.8.0        10.8.8.2        255.255.255.0   UG    0      0        0 tun0
        10.8.8.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
        192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
        
        

        – I tried the following:

        • I created a gateway in the pfsense with name: openvpnbehindpfsense interface: LAN gateway: 192.168.5.43
        • and I created a rule on the lan that destination 10.8.8.0/24 has to use this gateway.
          IPv4 TCP/UDP * * 10.8.8.0/24 * openvpnbehindpfsense none 
          but this does not solve the problem.

        -- I have another point:

        • we have in our office two WANs. One with a static IP that is used for the openvpn access and one with a dynamic ip. Could that be the problem? that the relies are send to the second wan and not the first one?

        Thanks for your help.
        Best regards
        Christoph

        PC-Service per Fernwartung an 365 Tagen im Jahr.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          Perhaps you need to bypass policy routing for the VPN traffic.

          https://doc.pfsense.org/index.php/What_is_policy_routing

          https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            • I created a gateway in the pfsense with name: openvpnbehindpfsense      interface: LAN      gateway: 192.168.5.43
            • and I created a rule on the lan that destination 10.8.8.0/24 has to use this gateway.
              IPv4 TCP/UDP    *    *    10.8.8.0/24    *    openvpnbehindpfsense    none
              but this does not solve the problem.

            No.  That rule on LAN won't do it.

            https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

            https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

            You want to delete that and go to System > Routing and create a route for 10.8.8.0/24 to gateway openvpnbehindpfsense.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              I see now.  A diagram would have made it instantly obvious.  :P

              The way you have it designed you either need to have a route in all your clients on 192.168.5.0/24 that tells them to reach 10.8.8.0/24 via 192.168.5.43 - probably not practical.

              Or you have to hairpin traffic into pfSense (the 192.168.5.0/24 default gateway) and back out the same interface - which is unsound design. As you're finding out, problems happen.

              A better way would be to put the Linux OpenVPN server on another subnet/pfSense interface. Then all the routing would be done by one router and you wouldn't be stuck trying to make an unsound design work.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C Offline
                christophdb
                last edited by

                Hi Derelict,

                thanks for your answer. I think you already told how to achieve the goal but I don't know how. Can you help me in more detail?

                1. I made a diagram of my setup. You find it at: https://www.ionas.com/external/openvpn_behind_pfsense.png

                2. I think an own interface for the openvpn behind the pfsense is the best way. So I tried to assign a new interface. I created a vlan 666 because vr0 (that is my lan) can not be choosen. Is that correct that I have to use a vlan?
                  I took: static ipv4 and the ipv4 address is 10.8.8.1
                  the ipv4 upstream gateway is my previously created gateway 10.8.8.1

                3. I created a firewall rule for the new interface. It allowes everything and as gateway I took the gateway 10.8.8.1

                Is that correct? Can you tell me how you would do it?

                Best regards
                Christoph

                PC-Service per Fernwartung an 365 Tagen im Jahr.

                1 Reply Last reply Reply Quote 0
                • C Offline
                  christophdb
                  last edited by

                  Hi everybody,

                  I tried again last night to put the openvpn connection to a server in the lan to an own interface. I didn't reached my goal.
                  Can anybody tell me how to do it?

                  My main problem is to decide with "network port" I have to select on the page "assign Interfaces". Do I have to choose the vr0 (which is my lan) or do I have to create a VLAN?
                  Thanks in advance for any hint.

                  Best regards
                  Christoph

                  PC-Service per Fernwartung an 365 Tagen im Jahr.

                  1 Reply Last reply Reply Quote 0
                  • C Offline
                    christophdb
                    last edited by

                    Hi everybody,

                    I am still struggling with a openvpn server behind pfsense. Can anybody give me a hint what to do?
                    Derelict writes that it would be best to assign an own interface to the server. I tried to do this but what network port do I have to use for this new interface? I have no more real lan port and a virtual one has to be assigned to vr0 = lan or vr2 = dsl line or something virtual…

                    I am looking forward to your help.
                    Best regards
                    Christoph

                    PC-Service per Fernwartung an 365 Tagen im Jahr.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Running a vpn server inside the network is at best a problematic setup.  Why not just run openvpn on pfsense itself?

                      You run into routing problems when vpn tunnel endpoint is just some IP in the lan network.  As mentioned already you either need routes on all your hosts that your vpn clients would want to talk, and or you would have to hairpin a connection off pfsense which the the gateway for your lan machines off that network.

                      what is your reasoning for running vpn server behind pfsense and not on pfsense?  Your really just making something that is clickity clickity to get up an running into a configuration mess.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • KOMK Offline
                        KOM
                        last edited by

                        I use OpenVPN on pfSense for all my remote connections.  Works like a charm and easy to configure.

                        1 Reply Last reply Reply Quote 0
                        • B Offline
                          beaukey
                          last edited by

                          Running a vpn server inside the network is at best a problematic setup.

                          OpenVPN servers behind firewalls can work with a port forwarding and a static route so there is no rocket science involved.

                          One scenario (that requires OpenVPN server(s) BEHIND pfSense) is when there are multiple OpenVPN servers behind the firewall/pfSense. E.g. for penetration/version or testing and/or high availability.

                          It would really help me (and Christoph) if there is some pfSense configuration/setting available who supports this configuration.

                          Thanks, regards,

                          Beau

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.