• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can't connect to OpenVPN, unless I disable the firewall….

Scheduled Pinned Locked Moved OpenVPN
13 Posts 3 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    Zyklon
    last edited by Aug 19, 2015, 11:51 AM

    I setup a simple OPenVPN using the wizard install, it automatically created the firewall rules

    however the only way I can connect remotely to it is by temporary disabling the firewall, "pfctl -d"

    when the firewall is enable it doesnt work remotely only if I log from inside the local network, even if the port is listed as open on the rules

    other issues that happens… the internet does not work once connected to the VPN

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Aug 19, 2015, 1:49 PM

      Are you trying to hit the public wan IP from inside pfsense network?  When you run through the wizard it would auto create the wan rules.  ARe you behind a double nat, if so you would have to forward the ports to pfsense wan from the nat device in front of pfsense.

      This is really clickity clickity working.. Does pfsense have pubic on its wan?  Or does it start with 10.x or 192.168.x or 172.16-31.x ?

      As to internet through the vpn - are you handing out some dns that works, are you setting client to use the vpn for gateway?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • Z
        Zyklon
        last edited by Aug 19, 2015, 2:38 PM

        well, I deleted all my configuration and made everything again using this guide

        https://chubbable.com/setup-openvpn-pfsense

        I made some really good progress, now I can connect to the VPN from the internet and the internet still works :)

        Only one problem Im facing down, is that I cant still access the servers that are connected to the pfsense firewall box from the VPN

        for example server Im trying to access is 192.168.90.67

        what Im missing now?

        openvpn.jpg
        openvpn.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Aug 19, 2015, 2:42 PM

          "Software" firewall on 192.168.90.67 ??

          Pass rules on the OpenVPN tab on the server?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • Z
            Zyklon
            last edited by Aug 19, 2015, 2:45 PM

            @Derelict:

            "Software" firewall on 192.168.90.67 ??

            Pass rules on the OpenVPN tab on the server?

            no, the firewall LAN IP is 192.168.90.82

            192.168.90.67 is just some server

            here the messages that show up when I log in the VPN

            Wed Aug 19 15:40:15 2015 TAP-WIN32 device [Ethernet 2] opened: \.\Global{D4A3949A-E471-4013-A280-51511BA027D7}.tap
            Wed Aug 19 15:40:15 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {D4A3949A-E471-4013-A280-51511BA027D7} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
            Wed Aug 19 15:40:21 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.  [status=5 if_index=36]
            Wed Aug 19 15:40:21 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
            Wed Aug 19 15:40:21 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
            Wed Aug 19 15:40:21 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.  [status=5 if_index=36]
            Wed Aug 19 15:40:21 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
            Wed Aug 19 15:40:21 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
            Wed Aug 19 15:40:21 2015 Initialization Sequence Completed

            1 Reply Last reply Reply Quote 0
            • Z
              Zyklon
              last edited by Aug 19, 2015, 2:48 PM

              I run the GUI as administrator

              error messages not show up anymore, but still not connecting to the server..

              Wed Aug 19 15:45:01 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
              Wed Aug 19 15:45:01 2015 open_tun, tt->ipv6=0
              Wed Aug 19 15:45:01 2015 TAP-WIN32 device [Ethernet 2] opened: \.\Global{D4A3949A-E471-4013-A280-51511BA027D7}.tap
              Wed Aug 19 15:45:01 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {D4A3949A-E471-4013-A280-51511BA027D7} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
              Wed Aug 19 15:45:01 2015 Successful ARP Flush on interface [36] {D4A3949A-E471-4013-A280-51511BA027D7}
              Wed Aug 19 15:45:07 2015 Initialization Sequence Completed

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Aug 19, 2015, 7:00 PM

                and where are you routes on your client to this 192.168.90 network?

                So for example when I connect in I get the routes added to my networks behind pfsense

                Wed Aug 19 13:57:53 2015 C:\Windows\system32\route.exe ADD 192.168.9.0 MASK 255.255.255.0 10.0.8.5
                Wed Aug 19 13:57:53 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
                Wed Aug 19 13:57:53 2015 Route addition via IPAPI succeeded [adaptive]
                Wed Aug 19 13:57:53 2015 C:\Windows\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 10.0.8.5
                Wed Aug 19 13:57:53 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
                Wed Aug 19 13:57:53 2015 Route addition via IPAPI succeeded [adaptive]
                Wed Aug 19 13:57:53 2015 C:\Windows\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.0 10.0.8.5
                Wed Aug 19 13:57:53 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
                Wed Aug 19 13:57:53 2015 Route addition via IPAPI succeeded [adaptive]

                You should be seeing your route added to your machine.. Look in your route print on your machine

                192.168.2.0    255.255.255.0        10.0.8.5        10.0.8.6    20
                192.168.3.0    255.255.255.0        10.0.8.5        10.0.8.6    20
                192.168.9.0    255.255.255.0        10.0.8.5        10.0.8.6    20

                Why would you need a guide - this really is clickity clickity using the wizard!!

                But your going to to have to worry about any software firewalls on the box your trying to connect to for sure.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • Z
                  Zyklon
                  last edited by Aug 20, 2015, 2:23 PM

                  alright I got the VPN working now

                  I can access the servers on the VPN network )))

                  but now Im back to the original problem, once I connect to the OpenVPN I loose connection to the internet

                  Do i need to create a foward rule in pfsense firewall from 10.0.6.0 network to LAN or WAN??

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Aug 20, 2015, 2:46 PM

                    you do not need a forward.. when you run through the wizard it will create nats for your vpn networks.  For vpn clients to go out your public internet connection on your pfsense that network has to be natted to your public IP.  You should see these on your outbound nats - see attached

                    And lets be clear - you want your remote client to access internet through your vpn connection, not a split tunnel where you use the vpn for access to your networks behind pfsense.  But internet using the clients current internet connection?

                    outboundnatvpn.png
                    outboundnatvpn.png_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • Z
                      Zyklon
                      last edited by Aug 20, 2015, 2:59 PM

                      maybe its a DNS configuration, I can ping google IP address but cant resolve anything

                      on openvpn server I addess the server LAN ip on DNS list, anything else Im missing?

                      1 Reply Last reply Reply Quote 0
                      • Z
                        Zyklon
                        last edited by Aug 20, 2015, 3:14 PM

                        here another test I did

                        if i change the openVPN DNS to 8.8.8.8 (google public dns) I can access the internet, but It wont resolve my internal hostnames

                        So how can I fix the resolving that goes thru the local firewall DNS IP so I can access both

                        the local IP wont resolve anything from the OPenVPN, but works if Im inside its network

                        1 Reply Last reply Reply Quote 0
                        • Z
                          Zyklon
                          last edited by Aug 20, 2015, 3:21 PM

                          well, I think I resolved the problem  8)

                          I turned on "DNS Query Forwarding Enable Forwarding Mode" under the DNS resolver tab

                          now i can use the local IP to resolve both the internet and the local servers

                          will do more tests now to see if it all work

                          thank you all for the support and helping me out  :)

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by Aug 20, 2015, 5:53 PM

                            Well if you can not resolve something with using the resolver than you have other issues..  Nobody would work using your resolver on your network, not just vpn users.

                            I take it you really don't understand what the difference between forwarding and resolver is?

                            If you want clients to resolve local stuff then they should have 1 dns - the dns that has your local stuff in it.  This dns then should either resolve for forward.. When you place multiple dns in a client where some are public and some are local you have no real idea when the client would use 1 vs the other, and depending on what is returned either refused, serv fail or nx can determine if the client asks the other dns in its list.  Or if just times out talking to one of them.

                            This is not a good strategy to count on client asking the correct dns for what its looking for by switching back and forth between them.  For one in this scenario you end up asking say google for your local stuff.  Which is just waste of time and could be seen as information leak.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            13 out of 13
                            • First post
                              13/13
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received