Can't connect to OpenVPN, unless I disable the firewall….

Zyklon · Aug 19, 2015, 11:51 AM

I setup a simple OPenVPN using the wizard install, it automatically created the firewall rules

however the only way I can connect remotely to it is by temporary disabling the firewall, "pfctl -d"

when the firewall is enable it doesnt work remotely only if I log from inside the local network, even if the port is listed as open on the rules

other issues that happens… the internet does not work once connected to the VPN

johnpoz · Aug 19, 2015, 1:49 PM

Are you trying to hit the public wan IP from inside pfsense network? When you run through the wizard it would auto create the wan rules. ARe you behind a double nat, if so you would have to forward the ports to pfsense wan from the nat device in front of pfsense.

This is really clickity clickity working.. Does pfsense have pubic on its wan? Or does it start with 10.x or 192.168.x or 172.16-31.x ?

As to internet through the vpn - are you handing out some dns that works, are you setting client to use the vpn for gateway?

Zyklon · Aug 19, 2015, 2:38 PM

well, I deleted all my configuration and made everything again using this guide

https://chubbable.com/setup-openvpn-pfsense

I made some really good progress, now I can connect to the VPN from the internet and the internet still works :)

Only one problem Im facing down, is that I cant still access the servers that are connected to the pfsense firewall box from the VPN

for example server Im trying to access is 192.168.90.67

what Im missing now?

Derelict · Aug 19, 2015, 2:42 PM

"Software" firewall on 192.168.90.67 ??

Pass rules on the OpenVPN tab on the server?

Zyklon · Aug 19, 2015, 2:45 PM

@Derelict:

"Software" firewall on 192.168.90.67 ??

Pass rules on the OpenVPN tab on the server?

no, the firewall LAN IP is 192.168.90.82

192.168.90.67 is just some server

here the messages that show up when I log in the VPN

Wed Aug 19 15:40:15 2015 TAP-WIN32 device [Ethernet 2] opened: \.\Global{D4A3949A-E471-4013-A280-51511BA027D7}.tap
Wed Aug 19 15:40:15 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {D4A3949A-E471-4013-A280-51511BA027D7} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
Wed Aug 19 15:40:21 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=36]
Wed Aug 19 15:40:21 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Wed Aug 19 15:40:21 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Wed Aug 19 15:40:21 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=36]
Wed Aug 19 15:40:21 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Wed Aug 19 15:40:21 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Wed Aug 19 15:40:21 2015 Initialization Sequence Completed

Zyklon · Aug 19, 2015, 2:48 PM

I run the GUI as administrator

error messages not show up anymore, but still not connecting to the server..

Wed Aug 19 15:45:01 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Aug 19 15:45:01 2015 open_tun, tt->ipv6=0
Wed Aug 19 15:45:01 2015 TAP-WIN32 device [Ethernet 2] opened: \.\Global{D4A3949A-E471-4013-A280-51511BA027D7}.tap
Wed Aug 19 15:45:01 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {D4A3949A-E471-4013-A280-51511BA027D7} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
Wed Aug 19 15:45:01 2015 Successful ARP Flush on interface [36] {D4A3949A-E471-4013-A280-51511BA027D7}
Wed Aug 19 15:45:07 2015 Initialization Sequence Completed

johnpoz · Aug 19, 2015, 7:00 PM

and where are you routes on your client to this 192.168.90 network?

So for example when I connect in I get the routes added to my networks behind pfsense

Wed Aug 19 13:57:53 2015 C:\Windows\system32\route.exe ADD 192.168.9.0 MASK 255.255.255.0 10.0.8.5
Wed Aug 19 13:57:53 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Aug 19 13:57:53 2015 Route addition via IPAPI succeeded [adaptive]
Wed Aug 19 13:57:53 2015 C:\Windows\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 10.0.8.5
Wed Aug 19 13:57:53 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Aug 19 13:57:53 2015 Route addition via IPAPI succeeded [adaptive]
Wed Aug 19 13:57:53 2015 C:\Windows\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.0 10.0.8.5
Wed Aug 19 13:57:53 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Aug 19 13:57:53 2015 Route addition via IPAPI succeeded [adaptive]

You should be seeing your route added to your machine.. Look in your route print on your machine

192.168.2.0 255.255.255.0 10.0.8.5 10.0.8.6 20
192.168.3.0 255.255.255.0 10.0.8.5 10.0.8.6 20
192.168.9.0 255.255.255.0 10.0.8.5 10.0.8.6 20

Why would you need a guide - this really is clickity clickity using the wizard!!

But your going to to have to worry about any software firewalls on the box your trying to connect to for sure.

Zyklon · Aug 20, 2015, 2:23 PM

alright I got the VPN working now

I can access the servers on the VPN network )))

but now Im back to the original problem, once I connect to the OpenVPN I loose connection to the internet

Do i need to create a foward rule in pfsense firewall from 10.0.6.0 network to LAN or WAN??

johnpoz · Aug 20, 2015, 2:46 PM

you do not need a forward.. when you run through the wizard it will create nats for your vpn networks. For vpn clients to go out your public internet connection on your pfsense that network has to be natted to your public IP. You should see these on your outbound nats - see attached

And lets be clear - you want your remote client to access internet through your vpn connection, not a split tunnel where you use the vpn for access to your networks behind pfsense. But internet using the clients current internet connection?

Zyklon · Aug 20, 2015, 2:59 PM

maybe its a DNS configuration, I can ping google IP address but cant resolve anything

on openvpn server I addess the server LAN ip on DNS list, anything else Im missing?

Zyklon · Aug 20, 2015, 3:14 PM

here another test I did

if i change the openVPN DNS to 8.8.8.8 (google public dns) I can access the internet, but It wont resolve my internal hostnames

So how can I fix the resolving that goes thru the local firewall DNS IP so I can access both

the local IP wont resolve anything from the OPenVPN, but works if Im inside its network

Zyklon · Aug 20, 2015, 3:21 PM

well, I think I resolved the problem 8)

I turned on "DNS Query Forwarding Enable Forwarding Mode" under the DNS resolver tab

now i can use the local IP to resolve both the internet and the local servers

will do more tests now to see if it all work

thank you all for the support and helping me out :)

johnpoz · Aug 20, 2015, 5:53 PM

Well if you can not resolve something with using the resolver than you have other issues.. Nobody would work using your resolver on your network, not just vpn users.

I take it you really don't understand what the difference between forwarding and resolver is?

If you want clients to resolve local stuff then they should have 1 dns - the dns that has your local stuff in it. This dns then should either resolve for forward.. When you place multiple dns in a client where some are public and some are local you have no real idea when the client would use 1 vs the other, and depending on what is returned either refused, serv fail or nx can determine if the client asks the other dns in its list. Or if just times out talking to one of them.

This is not a good strategy to count on client asking the correct dns for what its looking for by switching back and forth between them. For one in this scenario you end up asking say google for your local stuff. Which is just waste of time and could be seen as information leak.