Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: pfSense and OpenVPN  (Read 3015 times)

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
pfSense and OpenVPN
« on: March 25, 2021, 11:00:55 AM »

So I've been banging my head against the pfSense wall again  :wall:

I've updated my server recently, on the old server I had a VPN running, so I could access the network, and my brother could. My need was simply to know I had a secure connection when away on my phone or Android tablet and I've been using OpenVPN for that on my pfSense box. My brothers was that he would use my server as an off site backup - I have a NAS at his house for the same reason.

So as i have pfSense and OpenVPN I thought I'd just add him to that and he could then VPN in and access the server, but I'd forgotten that OpenVPN dumps you on a different network range - really what is the point of that?? Surely the main reasons for connecting back to a home network via VPN is A) You can use a connection you trust, and B) to access items on the network. A works fine, B is an epic fail.

So after much Googling I discover that OpenVPN is setup to use TUN, and I need to set it up to use TAP, after following this guide here and the one linked to in that guide I get precisely no where, well over two hours wasted.

I also discover that the rather smart looking and easy to use OpenVPN Connect windows app doesn't support TAP (neither does the Android App), you have to use some horrible piece of software that is truly awful on Windows, the community edition, which seems to randomly close the window when you're trying to read the countless error messages highlighted in red. It would also automatically load the config stored in the user directory and crash every time I opened it until I deleted that config. Eventually it seemed to connect, but never got an IP address. A truly awful experience.

Rant over  :(

So is it possible to use Open VPN in TUN mode, but bridge my LAN 192.168.0.x to Open VPN's range which is 10.0.1.x?  That way I can still use the official OpenVPN android app, and we could use the Open VPN Connect app on Windows?

My server has two network sockets, I connected the second and gave it an IP of 10.0.1.254, wasn't sure what to set the gateway to and I got warnings, so left it blank, but it wasn't accessible from the laptop connected via the VPN.

Could I setup two OpenVPN servers on pfSense one for Android access via TUN, and another using TAP, presuming I can get it working?

Alternatively I could just buy a Draytek router, and get rid of pfSense, it really is too complicated for me, guides get out dated quickly, and there's just to much information out there, much of it is out dated, so its difficult to find what I need.
« Last Edit: March 25, 2021, 11:03:54 AM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: pfSense and OpenVPN
« Reply #1 on: March 25, 2021, 10:12:04 PM »

I think you can use the "Alternate Configuration" on the network properties, i seem to remember doing it that way with VPNing into my server.

Ian
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: pfSense and OpenVPN
« Reply #2 on: March 25, 2021, 10:27:42 PM »

Hi Ian, thanks for the reply, but googling suggests that's just if DHCP fails, then windows will use the alternate IP address.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: pfSense and OpenVPN
« Reply #3 on: March 25, 2021, 10:38:44 PM »

What does it say on that window, someting about more than one network

Run Ipconfig before and after entering details on the alternate cofig window.

Ian
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: pfSense and OpenVPN
« Reply #4 on: March 25, 2021, 10:48:00 PM »

There no mention of the IP address I setup in the alternate settings when I run Ipconfig, where it mentions more than one net work, I think that relates to two physically different networks, like one at work and one at home, not two concurrent networks.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5261
    • Thinkbroadband Quality Monitors
Re: pfSense and OpenVPN
« Reply #5 on: March 26, 2021, 09:42:54 AM »

If I'm recalling correctly, you just need to configure the firewall rules so that the router will NAT between the networks.

For example my VPN Server on my Zen WAN interface is configured as so:


The only catch being your LAN and the other persons LAN need to be a different subnet or the traffic wont go over the VPN to begin with, but as you have a second network socket you could easily just setup a second LAN on pfSense to deal with that.

If you can't do that, you should be able to port forward from the VPN IP to the server in question, so that the remote LAN is invisible entirely to the client.
« Last Edit: March 26, 2021, 09:51:24 AM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: pfSense and OpenVPN
« Reply #6 on: March 26, 2021, 04:22:59 PM »

Thanks Alex, can you elaborate a bit more please, I'd like the simplest method, and not being quite sure what I'm doing I risk breaking something, or inadvertency leaving my network insecure.

The Open VPN server mode is: Remote Access (SSL/TLS + User Auth)

Open VPN gives connected clients an address in the range 192.168.4.x

My network is on 192.168.0.x

My brothers network is on 192.168.1.x
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5261
    • Thinkbroadband Quality Monitors
Re: pfSense and OpenVPN
« Reply #7 on: March 26, 2021, 06:19:18 PM »

Have you gotten to the point where you can at least connect to the OpenVPN server on pfSense?

Some key points just in case you missed something:

Once the server is configured (I can't remember how to do that off the top of my head but the guides cover that) you need to add a rule on the Firewall WAN tab to allow traffic in.  Action Pass, IPv4 UDP (I assume you configured OpenVPN as UDP as its recommended), Source Any, Destination WAN address, port range OpenVPN for both from and to.

After configuring OpenVPN you need to add an interface for ovpns0 (or whatever its number is) in Interfaces -> Assignments, before you can actually add firewall rules to allow traffic to pass.  You only need to tick Enable Interface and give it a name you will recognise in description, as this is how it shows up on the Firewall page for the next step.  Then Save followed by Apply Changes.

You're not going to leave it insecure as only a client with the right key can connect.  The rest of the configuration is done on the VPN servers firewall tab, nothing you do there should hurt security as it only applies to a client that has already successfully connected to the VPN.

On the firewall tab for the interface you created for the server you add a Pass rule for Interface (already set to the VPN as were on that tab), address family IPv4, Protocol Any, Source Any, Destination LAN.  Save and Apply Changes.
« Last Edit: March 26, 2021, 06:22:45 PM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: pfSense and OpenVPN
« Reply #8 on: March 27, 2021, 09:01:30 AM »

Thank you Alex, yes I have the Open VPN server up and running. I've had it set up for a long time now, and just used it on my phone or tablet when we were away from home and want a secure trusted connection.

I've added my brother as a user, and using a Window's laptop tethered to my mobile with Open VPN connect on the laptop I can get a connection, so the laptops public IP is my homes IP and of course Open VPN shows its connected.

Only thing I need to do now is enabled access to my server, which is the bit causing the issue.

What you've said makes sense, so I'll give it a try over the weekend.

One thing I've noticed is the users I've setup for Open VPN can login to the pfSence interface, but nothing is actually displayed. In the user settings, there is a vague check box setting that just says User cannot log in. One guide I read suggests this setting should stop the user from logging into the pfSence user interface, but when checked that user can't connect on Open VPN. Not sure if this is a big, or it applies to everything.

Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: pfSense and OpenVPN
« Reply #9 on: March 27, 2021, 02:27:18 PM »

I am confused, but if I understand right your issue is you dont like that openvpn is using a 2nd subnet?  That isnt compulsory but I think its a good idea.  It shouldnt break things been connected to two different LAN subnets at once, but might need to tinker with firewall rules and gateway policies.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: pfSense and OpenVPN
« Reply #10 on: March 27, 2021, 04:40:23 PM »

Hi Chrysalis, yes that is correct, I don't like OpenVPN being on it own subnet, part the reason I use a VPN to my home network is so that I can access stuff on it.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: pfSense and OpenVPN
« Reply #11 on: March 27, 2021, 05:50:22 PM »

So, it's sort of working.

I've created the interface, and the only option that is filled in is the enable interface and the description.

I've created a firewall rule as per below, surely under states shouldn't be 0/0B if it's been passing traffic??



Now from the Laptop which is tethered to my phone on 4G I can connect with Open VPN.
I can ping pfSense
I can use remote desktop to connect to the server
I can't ping the server
I can't see the server in the network on file explorer
I can't access the server entering its name either such as \\Server\ in file explorer

Open VPN reports its IP address as 192.168.4.3
Windows reports its IP as 192.168.43.94 with DNS server of 192.168.43.1, IPconfig matches this, which is weird.

In Open VPN I specified  pfSense as DNS server - I couldn't access the internet on the laptop until I did this
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5261
    • Thinkbroadband Quality Monitors
Re: pfSense and OpenVPN
« Reply #12 on: March 27, 2021, 06:39:21 PM »

That is weird.  Did you generate your Windows config using the pfSense OpenVPN Client Export package?

In my OpenVPN Server configuration I have:

IPv4 Tunnel Network: 10.10.0.0/24

In Windows for ipconfig I get:

Code: [Select]
Unknown adapter OpenVPN TAP-Windows6:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::656d:c52b:6c8c:f551%22
   IPv4 Address. . . . . . . . . . . : 10.10.0.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Code: [Select]
tracert Server.lan

Tracing route to Server.lan [192.168.1.253]
over a maximum of 30 hops:

  1    69 ms    68 ms    68 ms  10.10.0.1
  2    66 ms    59 ms    59 ms  Server.lan [192.168.1.253]

Code: [Select]
ping 192.168.1.253

Pinging 192.168.1.253 with 32 bytes of data:
Reply from 192.168.1.253: bytes=32 time=74ms TTL=63
Reply from 192.168.1.253: bytes=32 time=70ms TTL=63
Reply from 192.168.1.253: bytes=32 time=77ms TTL=63
Reply from 192.168.1.253: bytes=32 time=60ms TTL=63

Ping statistics for 192.168.1.253:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 60ms, Maximum = 77ms, Average = 70ms

pfSense Diagnostics -> States:
Code: [Select]
VPNS_PLUSNET icmp 10.10.0.2:1 -> 192.168.1.253:1 0:0 2 / 2 120 B / 120 B
« Last Edit: March 27, 2021, 07:03:56 PM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: pfSense and OpenVPN
« Reply #13 on: March 28, 2021, 12:19:07 AM »

That is weird.  Did you generate your Windows config using the pfSense OpenVPN Client Export package?

Yes, I used client export - Most Clients

Quote
In my OpenVPN Server configuration I have:

IPv4 Tunnel Network: 10.10.0.0/24

Mine is set to IPv4 Tunnel Network: 192.168.4.0/24

Prior to adding the the interface and network rule I'm sure the laptop was getting the correct IP address, and OpenVPN shows my private IP as 192.168.4.2, but Ipconfig still reports 192.168.43.94 (See below - note 1)

It turns out the 192.168.43.x is the range used by the hotspot on the phone, so even after connecting the VPN the laptop is not getting it's IP address from OpenVPN but retains the one issued by the phones hotspot.

If I trace route to pfSense IP of 192.168.0.1 it is one hop.

If I trace route to the servers IP I get one hop to 192.168.4.1 then after that it times out.

Code: [Select]
tracert Server.lan

Tracing route to Server.lan [192.168.1.253]
over a maximum of 30 hops:

  1    69 ms    68 ms    68 ms  10.10.0.1
  2    66 ms    59 ms    59 ms  Server.lan [192.168.1.253]

Note 1. Just noticed in IPconfig, it has Unknown local area connection, and that is set to the correct IP of 192.168.4.2, I've been looking at the wifi adapter  :-[

So it's seems it is getting the correct IP, but we must still have some routing issues. Odd how I can RDP into the server, but can't ping or trace route to it (See below - note 2).

I've noticed the following in the OpenVPN logs, although that presumably won't affect routing.

Code: [Select]
Mar 27 23:10:39 openvpn 10215 92.40.175.118:51329 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 27 23:10:39 openvpn 10215 92.40.175.118:51329 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'

Note 2. Just realised the firewall on the server will be blocking the different IP range! Turning off the firewall allows both ping, and trace cert to work. Can't quite figure out the rule I need to add for this - I'll work that out tomorrow.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5261
    • Thinkbroadband Quality Monitors
Re: pfSense and OpenVPN
« Reply #14 on: March 28, 2021, 11:43:27 AM »

Note 2. Just realised the firewall on the server will be blocking the different IP range! Turning off the firewall allows both ping, and trace cert to work. Can't quite figure out the rule I need to add for this - I'll work that out tomorrow.

I don't think it should be, that's what the rule we added was for to allow incoming NAT from any IP and protocol on the VPN to the LAN.

Do you have Redirect IPv4 Gateway set on the OpenVPN server?
« Last Edit: March 28, 2021, 11:46:54 AM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors
Pages: [1] 2