[Solved] Simple OpenVPN Client
I used pfSense for a long time under virtualization for various tasks and my home lab. Recently my home connection got upgraded to 300/100 and my old tomato based cisco couldn't keep up. So I upgraded to a pc engines apu board to get better performance.
One important task for my router/firewall is to connect as a client to my work openvpn server. The server is not for all the traffic, it only pushes a multitude of subnets. Say 10.0.0.0/24 is one of them.
I got the client configured and connected but I can't access any remote resource. The routes are added (Diagnostics->Routes) and I enabled the openvpn interface as type "none" as I read somewhere on this forum. But I still can't ping any remote host even from the pfsense box itself.
Any suggestions? I'm running the latest version, 2.2.4. Thanks!
Did you check:
- if remote resource firewalls accept traffic from OVPN network and also clients ? because by default firewalls accept traffic only from localnet.
- rules on both pfSense to accept traffic from OVPN to required LANs.
yes to the first one, other clients (linux, the old tomato router) worked fine.
I don't really understand the second question, sorry. Do I need to add rules for the openvpn connection? Arent' those added together with the routes.
no idea about your set-up but this is what I done on my set-up ( I have VPN site to site and mobile VPN on each pfsense ) and I have no problems accessing shares ( only from/to private LANs ).
I addedthe one you have last before block, as I don't think I need the rest, still no go.
My setup is really simple. I have a few subnets at work served by a openvpn server pushing routes for those lan(s). When a client connects only those lan(s) are redirected via vpn. I want the client running on my pfsense box so I can access my work network from multiple machines.
Rules on your OpenVPN tab or your assigned interface tab govern what local assets the remote OpenVPN clients can establish connections to. If you are just connecting to things at work, you need no rules. THEY need the rules for whatever system they're using.
But pfSense should not be much different from Tomato as a client, I figure.
Did you bounce the OpenVPN client instance after assigning the interface?
Clients do not need any firewall rules on WAN. Only servers. If the connection is coming up all that is fine.
Are you doing any policy routing (rules with gateways set) on LAN? If so you probably need to bypass policy routing for the work subnets.
Thanks Derelict, this is a step forward. So those rules are only incoming. I was under the impression after browsing the few tutorials here that also outgoing connections were blocked without any rules.
Ok so my situation remains:
- openvpn client connects
- routes are added on the pfsense box (I can see them under Diagnostics->Routes)
- no access even from the pfsense box itself to remote resources (tried ping, ssh)
I'm not doing anything exotic, it's a standard 1 wan (pppoe), 1 lan setup I'm just starting to configure. The openvpn client was the next step.
Are you using the same subnet on your LAN as before?
Yes, I didn't want to change IPs for my few fixed ips devices. There is no subnet collision between home and work if that's what you are worrying. My home is 192.168.xx.0/24 and my work are 10…. and 172...
Ok, a breakthrough :)
I was comparing my old client .ovpn configuration and noticed that my linux client uses```
I changed the client cipher and now I can ping and ssh to remote networks from the pfsense box, it still doesn't work from my LAN.
It was my assumptions coming from Linux routers that tricked me, I never realized what was IMHO happening. Without explicit rules for outbound NAT pfSense was forwarding traffic as my home subnet that my work servers promptly dropped.
I had to set-up Outbound NAT so that my traffic is NATed to the subnet assigned by us for openvpn clients.
Thanks all for the suggestions it really helped me move along, and just a quick note (I'm new here, I don't want to complain :) ) but the openvpn documentation could really help being a bit more thorough.
In case somebody else is hitting this I had to go to Firewall: NAT: Outbound, switch to Hybrid Outbound NAT rule generation and add one rule:
For a moment I was afraid I have to add one rule for each of our destinations (we have many and they sometimes change) but this one rule (where OPENVPN_CL is the openvpn client interface set-up as none per the tutorials I saw).
Is this the pfsens equivalent of the -j MASQUERADE from Linux?
OP, first, you don't need to black out reserved addresses, they're not routed anyway.
I'm glad you got it working, but if you have access to the server end, adding a route your LAN subnet would've solved your issue also.
With your current setup, while it works, the server end loses the ability to isolate connections coming from your network. If that's not a concern from either side, then I guess you're good.