Something easier than openvpn?

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
I'm tired of dicking around trying to get openvpn to work whenever I want remote access to my network. Is there something easier, that will allow me to map NFS/SMB shares as well as access web based stuff on a remote network? Something I can setup in a pinch on any computer on any platform.

SSH tunnels are easy to setup, perhaps something that runs through one? One thing I have done for web based stuff use a SSH tunnel to a proxy server then do everything through the proxy, but sometimes I want to map folders too or access other stuff on the network. Is there an easy way of doing this?

I spent over 8 hours trying to get my old VPN server to work (randomly broke) and also a new VPN server in pfsense. I give up, there's got to be something easier. Part of the issue with open VPN is that everything is very poorly documented, and any steps it tells me to do arn't really explained. All these cert files and all this stuff is just overly complicated for nothing. Even the package creator, I thought would have done everything for me, but nope, the default file it creates does not work. The windows client is also very annoying to use because when I right click on it, for some reason it also initiates the default windows right click menu if I was to right click on the task bar, this then masks the actual open vpn menu so I have to fight with that each time.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
Huh? OpenVPN is very easy, at least using the CLI and it sure isn't poorly documented unless you can't use a search engine...

Here's a sample using main network at 192.168.1.0/24 and external at 192.168.2.0/24.

server.conf
Code:
####################################
#### OpenVPN server.conf v0.02 #####
####################################

# Listen on port 8547
port 8547

# Prefer UDP over TCP due to performance issues
proto udp

# Use tunneling (routed VPN) and specify interface
dev tun0

# Provide path to SSL/TLS root certificate (ca), certificate (crt)
# and private key (key).
ca /usr/local/etc/openvpn/hostname-goes-here/keys/ca.crt
cert /usr/local/etc/openvpn/hostname-goes-here/keys/server.crt
key /usr/local/etc/openvpn/hostname-goes-here/keys/server.key

# Diffie-Hellman parameters (configuration file)
dh /usr/local/etc/openvpn/hostname-goes-here/keys/dh1024.pem

# Set IP pool (server gets .1)
server 10.0.10.0 255.255.255.0

# Leases file
ifconfig-pool-persist /var/run/openvpn.leases

# Push following routes to clients
# Main network
push "route 192.168.1.0 255.255.255.0"

# Add routes to VPN endpoints
# Main network <--> Remote network
route 192.168.2.0 255.255.255.0 10.0.10.2

# Use a plain /24, no /30
topology subnet

# Tell clients where they can find client specific configuration files
client-config-dir /usr/local/etc/openvpn/hostname-goes-here/client-configs

# Use keep-alive polling (polling interval, timeout)
keepalive 10 120

# Define hardware crypto
#engine cryptodev

# Set a decent chiper that may allow hardware acceleration
cipher AES-192-CBC

# Try to squeeze out any amount of bandwidth available
comp-lzo

# Always compress data
comp-noadapt

# Drop privileges
user nobody
group nobody

# Try to reconnect nicely
persist-key
persist-tun

# Enable TLS-Auth
tls-auth /usr/local/etc/openvpn/hostname-goes-here/keys/ta.key 0

# Enable logging
status /var/log/openvpn/hostname-goes-here/status.log

# Enable permanent logging
log-append  /var/log/openvpn/hostname-goes-here/openvpn.log

# Verbose level
verb 3

# Try to minimize log flooding, 10 or more similar messages are dropped
mute 10

# Ensure that MTU is 1500
tun-mtu 1500

./client-configs/node-extnet01
Code:
# Push/Set a specific IP to Node
ifconfig-push 10.0.10.2 255.255.255.0

# Tell OpenVPN that we want to access network bothways
iroute 192.168.2.0 255.255.255.0

# Push route to other connected networks
#push "route 192.168.3.0 255.255.255.0 10.0.10.1"

Certificate related files you need on your server....
ca.crt, ca.key, dh1024.pem, server.crt, server.key, ta.key

..and on the client (OpenWRT in this case)

node-extnet01.ovpn
Code:
####################################
#### OpenVPN client.ovpn v0.01 #####
####################################

# Tell OpenVPN that this is a client configuration file
client

# Specify hostname and port to server
remote your-hostname-here 8547

# Keep on resolving if it fails for some reason
resolv-retry infinite

# No need to bind ports on clients
nobind

# Same protocol as server, UDP for performance
proto udp

# Same interface type as server
dev tun

# SSL/TLS client related files
ca /etc/openvpn/ca.crt
cert /etc/openvpn/node-extnet01.crt
key /etc/openvpn/node-extnet01.key

# Define cipher type (same as server)
cipher AES-192-CBC

# Enable compression
comp-lzo

# Always compress data
comp-noadapt

# Play nice if link dies
persist-key
persist-tun

# Enable server certificate check
ns-cert-type server

# TLS Auth
tls-auth /etc/openvpn/ta.key 1

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 10

# Ensure that MTU is 1500
tun-mtu 1500

Certificate related files you need on your client....
ca.crt, node-extnet01.crt, node-extnet01.key, server.crt, ta.key

As FreeBSD default shell for root doesn't understand export you need to temporarily use sh to generate certificates. I assume you do know how to create appropriate firewall rules for both interfaces per client. Due to the design of OpenVPN hardware crypto rarely improves performances and if it does its only a very small amount, it does however create funny issues from time to time so use with care.

This works great on Windows clients too but they are a bit more unstable than Unix/Linux/*BSD ones in general.

You can also give QuickTun a spin but its only between two clients and there's no Windows client if you want something easier.
http://wiki.ucis.nl/QuickTun

//Danne
 
Last edited:

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
The issue is the documentation always assumes everything will work, of course it never works that way. Get all sorts of errors out the wazoo, cert errors, time out errors you name it. Now I'm stuck, it says "connecting" and just sits there forever.

I spent a good week trying to figure it out originally, and it worked since, but now it broke even though nothing changed and been pulling my hair out all night (almost 12 hours now) trying to get it to work properly. I can connect, I can ping hosts, but I can't pass any TCP traffic to those hosts. PFsense keeps blocking the reply packets for some reason.

So trying to just set it up in pfsense itself... not even getting close to getting it to work. Following all the tutorials I can find... and why is it every single one is different?


Quicktun looks interesting... if I want to make it work in Windows I can probably just setup a VM then set it as my default gateway. I'll have to experiment.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
Read the openvpn log?
cert errors - Permission errors? Incorrectly generated? Mismatched between client/server?
timeout errors occurs when you have blocked traffic in on either side during connection init
They also occur when its lost after establishing one, hence the keep alive option.

First of all, open everything which these rules do in pf

pass in $int_if all
pass out $int_if all
pass in tun0 all
pass out tun0 all

Depending on your client you need to set appropriate rules on the other side allowing routing.
On OpenWRT:
iptables -I forward -i tun+ -o br-lan -j ACCEPT
iptables -I forward -o tun+ -i br-lan -j ACCEPT

Having no idea what your ruleset looks like I guess it probably blocks packets going to non routable IPs outside the internal network (interface).

//Danne
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,161
OoenVPN access server. Easy as pie with a web GUI and it's free for two clients.
 

mwarps

Supreme [H]ardness
Joined
Oct 6, 2002
Messages
7,016
OpenVPN is ridiculously simple and reliable for what it provides....
pfSense may be your problem, as I'd consider ovpn to be much easier as a new user..
 

dave99

2[H]4U
Joined
Jan 20, 2011
Messages
2,129
I use openvpn on pfsense all the time, it's easier than ipsec. One thing I've noticed before though, when first setting it up, is sometimes it needs a reboot to let it all work. (the pfsense box).
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
@ mwarps
I tried to explain a few times that barebone might be easier in the end without success, I hope you the best of luck.

//Danne
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,161
I run OpenVPN Access Server on a VM on my esxi box and NAT 443 to it and get in that way. Took all of 10 mins to setup with a signed SSL cert and everything, plus you don't need to dick around with certs on the clients, they will auto download what they need from the server when you use the website.
 

TCM

Gawd
Joined
Nov 10, 2011
Messages
641
OpenVPN _is_ dead simple... _if_ you know networks, routing and a bit of certs.

The issue is the documentation always assumes everything will work, of course it never works that way. Get all sorts of errors out the wazoo, cert errors, time out errors you name it. Now I'm stuck, it says "connecting" and just sits there forever.
Don't take it personal, but whenever I read your threads I get the feeling you're into all this stuff way ahead of yourself. If it "just sits there", the first thing is to take out tcpdump and look at what packets are making it where. If PFsense is blocking any "reply packets" it must mean you're not even using stateful filtering or somesuch.

The OpenVPN examples, together with the man page, are more than enough to get going. The man page documents all options.
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,161
OpenVPN _is_ dead simple... _if_ you know networks, routing and a bit of certs.

Don't take it personal, but whenever I read your threads I get the feeling you're into all this stuff way ahead of yourself. If it "just sits there", the first thing is to take out tcpdump and look at what packets are making it where. If PFsense is blocking any "reply packets" it must mean you're not even using stateful filtering or somesuch.

The OpenVPN examples, together with the man page, are more than enough to get going. The man page documents all options.

What about the woman page you sexist pig! :p
 

feffrey

Gawd
Joined
Oct 26, 2010
Messages
585
What version of pfsense are you running? I had a number of issues with open vpn on 2.0 I went with 2.1 and got it going pretty easy.
 

twistacatz

Limp Gawd
Joined
Jan 3, 2005
Messages
182
I had the same issue. I went with a Juniper SA, fairly inexpensive (used) and as versatile as they come. The issue for me was updated clients for anything. I also hated the two user limit with the free OpenVPN virtual appliance.
 

Database

Detroit Redbirds!!!
Joined
Jan 22, 2009
Messages
2,537
I just use the included SSL vpn included with my Sonicwall. Easy to setup and works great.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,456
pfesnse i had vpn server up and running in about 5 mins using their wizard the first time..
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Easy compared to what? I've setup a Cisco VPN with RSA token appliance in under a day, was my frist day on the job... Come to think of it, I do have two Cisco 1841's sitting doing nothing, will Anyconnect VPN work on those? I can always set one of those up inside my network to act as a server. I'm a little rusty with Cisco but it tends to be more straight forward and I don't recall having to mess with certs and all that stuff and their client is more solid.

I'll try to get OpenVPN working again tonight, another 12 hour shift. If I still can't get it then I'll definitely look at something else. The access server sounds interesting though, I might do that. Though now that I think of it I don't know if doing it outside of pfsense is going to work anymore. The new version of pfsense (2.0) is doing something funny with packets when they return. When I connect to my existing openVPN server I can ping other servers on the network but any TCP communication wont work because pfsense is blocking the reply tcp packets.

When I try OpenVPN within pfsense not mcuh happens. In fact my last try it would sit at "connecting" at the client, but in the pfsense logs it showed as if it worked. If I cancelled out of the "connecting" box on the client, and then went back to the client, it would say I'm connected. Of course, nothing actually worked. I then found something online that said I need to remove "client" in the config file and replace it with "float". That did not do much either.

I just don't get why they make it so complicated, I should be able to set a username/password on the server, then in the client I should be able to specify an IP address, click connect and enter that username/password, and boom, I'm connected. It should do everything else in the background.
 
Last edited:

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,161
I had the same issue. I went with a Juniper SA, fairly inexpensive (used) and as versatile as they come. The issue for me was updated clients for anything. I also hated the two user limit with the free OpenVPN virtual appliance.

Coulda bought more licenses.

I went the ovpn appliance route because it replaced my ASA which was just sitting there doing VPN behind the router wasting power. My esxi box is already so there's no more power draw than before the VM was on there. I'm quite happy with it so far and made $400 on my ASA that I payed $150 for lol.

By default ASAs only come with 2 ssl licenses as well.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
For what it's worth here's some logs, though my config has changed so many times now from messing around with it so don't know if any even applies.

Code:
Sep 13 06:04:37 	openvpn[50538]: Initialization Sequence Completed
Sep 13 06:04:37 	openvpn[50538]: UDPv4 link remote: [undef]
Sep 13 06:04:37 	openvpn[50538]: UDPv4 link local (bound): 192.168.2.100:1194
Sep 13 06:04:37 	openvpn[49268]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1590 10.1.0.1 255.255.255.0 init
Sep 13 06:04:37 	openvpn[49268]: /sbin/ifconfig ovpns1 10.1.0.1 netmask 255.255.255.0 mtu 1500 up
Sep 13 06:04:37 	openvpn[49268]: TUN/TAP device /dev/tap1 opened
Sep 13 06:04:37 	openvpn[49268]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Sep 13 06:04:37 	openvpn[49268]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 13 06:04:37 	openvpn[49268]: OpenVPN 2.2.2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] built on Apr 2 2013
Sep 13 04:35:32 	openvpn[43987]: SIGTERM[hard,] received, process exiting
Sep 13 04:35:32 	openvpn[43987]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1558 10.2.2.1 10.2.2.2 init
Sep 13 04:35:32 	openvpn[43987]: event_wait : Interrupted system call (code=4)
Sep 13 03:25:08 	openvpn[43987]: Initialization Sequence Completed
Sep 13 03:25:08 	openvpn[43987]: UDPv4 link remote: [undef]
Sep 13 03:25:08 	openvpn[43987]: UDPv4 link local (bound): 192.168.2.100:20200
Sep 13 03:25:08 	openvpn[42540]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1558 10.2.2.1 10.2.2.2 init
Sep 13 03:25:08 	openvpn[42540]: /sbin/ifconfig ovpns2 10.2.2.1 10.2.2.2 mtu 1500 netmask 255.255.255.255 up
Sep 13 03:25:08 	openvpn[42540]: TUN/TAP device /dev/tun2 opened
Sep 13 03:25:08 	openvpn[42540]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
Sep 13 03:25:08 	openvpn[42540]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 13 03:25:08 	openvpn[42540]: OpenVPN 2.2.2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] built on Apr 2 2013
Sep 13 03:25:07 	openvpn[28746]: SIGTERM[hard,] received, process exiting
Sep 13 03:25:07 	openvpn[28746]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1558 10.2.2.1 10.2.2.2 init
Sep 13 03:25:07 	openvpn[28746]: event_wait : Interrupted system call (code=4)
Sep 13 02:47:51 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS handshake failed
Sep 13 02:47:51 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS object -> incoming plaintext read error
Sep 13 02:47:51 	openvpn[28746]: 47.55.16.60:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sep 13 02:47:51 	openvpn[28746]: 47.55.16.60:1194 VERIFY ERROR: depth=0, error=certificate has expired: /C=CA/ST=Ontario/L=Timmins/O=Iceteks/emailAddress=*****@****.***/CN=vpnuser
Sep 13 02:47:51 	openvpn[28746]: 47.55.16.60:1194 LZO compression initialized
Sep 13 02:47:51 	openvpn[28746]: 47.55.16.60:1194 Re-using SSL/TLS context
Sep 13 02:36:35 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS handshake failed
Sep 13 02:36:35 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS object -> incoming plaintext read error
Sep 13 02:36:35 	openvpn[28746]: 47.55.16.60:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sep 13 02:36:35 	openvpn[28746]: 47.55.16.60:1194 VERIFY ERROR: depth=0, error=certificate has expired: /C=CA/ST=Ontario/L=Timmins/O=Iceteks/emailAddress=*****@****.***/CN=vpnuser
Sep 13 02:36:34 	openvpn[28746]: 47.55.16.60:1194 LZO compression initialized
Sep 13 02:36:34 	openvpn[28746]: 47.55.16.60:1194 Re-using SSL/TLS context
Sep 13 02:25:55 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS handshake failed
Sep 13 02:25:55 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS object -> incoming plaintext read error
Sep 13 02:25:55 	openvpn[28746]: 47.55.16.60:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sep 13 02:25:55 	openvpn[28746]: 47.55.16.60:1194 VERIFY ERROR: depth=0, error=certificate has expired: /C=CA/ST=Ontario/L=Timmins/O=Iceteks/emailAddress=*****@****.***/CN=vpnuser
Sep 13 02:25:54 	openvpn[28746]: 47.55.16.60:1194 LZO compression initialized
Sep 13 02:25:54 	openvpn[28746]: 47.55.16.60:1194 Re-using SSL/TLS context
Sep 13 02:24:53 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS handshake failed
Sep 13 02:24:53 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS object -> incoming plaintext read error
Sep 13 02:24:53 	openvpn[28746]: 47.55.16.60:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sep 13 02:24:53 	openvpn[28746]: 47.55.16.60:1194 VERIFY ERROR: depth=0, error=certificate has expired: /C=CA/ST=Ontario/L=Timmins/O=Iceteks/emailAddress=*****@****.***/CN=vpnuser
Sep 13 02:24:52 	openvpn[28746]: 47.55.16.60:1194 LZO compression initialized
Sep 13 02:24:52 	openvpn[28746]: 47.55.16.60:1194 Re-using SSL/TLS context
Sep 13 02:23:51 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS handshake failed
Sep 13 02:23:51 	openvpn[28746]: 47.55.16.60:1194 TLS Error: TLS object -> incoming plaintext read error


Not sure why it's saying the cert expired, I set it to 9999 days when I made it in the wizard.

This is the tutorial I followed: (just found on google)

http://www.youtube.com/watch?v=VdAHVSTl1ys

I did everything word per word. I also updated the VPN client as the one I was using was very old.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,456
with pfsense how are you setting it up, manually or with the wizard?

are you then exporting the config for the users?



Install this package for pfsense under System / Packages

OpenVPN Client Export Utility

makes life easier for getting the vpn config files.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
Either you have incorrect time and date settings (at least when you created certs) or you have client versions mismatch.
//Danne
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
That's what I did, I installed that package like the tutorial says and exported the client files. But nothing worked. At first the server IP in the config was wrong so I changed it. Then I read up I have to replace the "client" line with "float" but from that point on nothing I did was working.

I have a ntp server setup so all times are within less than a second.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
Redo your certs, you should also use OpenVPN 2.3-branch nowdays...
//Danne
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
I'm using whatever is built into pfsense 2.0 which I downloaded and installed about a week ago, is it already out of date? Also is there a way to completely wipe openvpn client from the system? Uninstalling is not enough. I have like 4 tap interfaces now, I just want to start from a fresh slate. Actually maybe that's part of my issue... I'm setting it up as tun, should I go tap instead?
 

Shockey

[H]ard|Gawd
Joined
Nov 24, 2008
Messages
2,046
I'm using whatever is built into pfsense 2.0 which I downloaded and installed about a week ago, is it already out of date? Also is there a way to completely wipe openvpn client from the system? Uninstalling is not enough. I have like 4 tap interfaces now, I just want to start from a fresh slate. Actually maybe that's part of my issue... I'm setting it up as tun, should I go tap instead?

Should be able to delete the tun/tap interfaces.

The difference between tun and tap is below. Also tun acts like a router between point A and point B while tap is a virtual switch. I've always used TAP when setting mine up on pfsense and windows on my laptop.

http://openvpn.net/index.php/open-s...ce-between-a-tun-device-and-a-tap-device.html

I also had success using this guide. Also a guide on the forum by someone that will allow you to set it up as a bridge. (Have to search for it)

http://blog.stefcho.eu/?p=492
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Yeah knew the difference and I wanted tun, but starting to think maybe that's my issue, I choose the more complicated way. I'll try to do a tap. So with tap, it's basically as if I connected an ethernet cable to the switch, right? So my existing DHCP server will hand out an IP?

Also I saw some tutorials that talk about adding interfaces and doing bridging and all sorts of stuff like that - hate to play with my interfaces remotely in case I do something and lock myself out. Do I have to do all of that? Other tutorials don't mention anything about that but some do.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Pfsense is my main firewall... I can't just drop it. I will try to setup a new VPN server, but I still have an issue where the new version of pfsense seems to not like the openvpn traffic and blocks the packets that are coming back. I have a "working" old openvpn server right now but since I upgraded to pfsense 2.0 a few weeks ago it stopped working because it blocks tcp reply traffic. So I figured setting it up in pfsense would solve this, but it seems it's more complex than setting up a separate server.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
It doesn't take much time to setup pf and NAT (if needed), if downtime is important just put a cheap router there instead for a lil while?
//Danne
 

bAMtan2

[H]ard|Gawd
Joined
Sep 16, 2008
Messages
1,480
Something easier than openvpn?

I'd like to apologize for all the people who replied without answering your question. Yes there are easier things. Search the Google app store for vpn and you will see the popular services and their clients.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
It doesn't take much time to setup pf and NAT (if needed), if downtime is important just put a cheap router there instead for a lil while?
//Danne

What does this have to do with NAT or reinstalling the firewall? I already have pfsense and NAT running fine. This is a brand new box and a brand new install.

I need to either 1: figure out why pfsense is blocking reply traffic from my existing (working) openvpn server despite that interface allowing *ALL* traffic. Or 2: figure out how to set it up in pfsense itself and retire the old server.

I suppose another option is to pass my vpn traffic through a SSH tunnel to get around the blocking that pfsense is doing, I think that would work, though it would probably add quite a lot of overhead to encrypt it twice. I'll try that when I'm at work tonight.

Also any issues with double NAT? While not ideal, I don't really have a choice since my new internet requires I use their special modem/router. From what I read online there are ways around it, but I just don't want to touch that right now. Currently the way I have it setup is TCP and UDP ports 1-65535 are forwarded to the firewall, so as far as configuring stuff goes it's like the NAT is not even there.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
There are a lot of issues with double NAT, avoid. Forwards will not work as intended etc
You're having issues with your ruleset so unless you know how to set 'em up properly its just a waste of time. SSH tunnels are only per port and point-to-point....
//Danne
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
There are a lot of issues with double NAT, avoid. Forwards will not work as intended etc
You're having issues with your ruleset so unless you know how to set 'em up properly its just a waste of time. SSH tunnels are only per port and point-to-point....
//Danne

My ruleset is quite simple...




That's the main vlan where the vpn server is. The top rule is redundant, that's intentional as if I do add any blocks I will put them below that rule, so in case I make a mistake I wont lock myself out.




I also had a rule to allow VPN access to the pfsense server itself when I was trying to get that to work but I removed it for now as I wiped everything I did having to do with openvpn.

At this point I just want to try to get the existing server to work. Just need to figure out why pfsense keeps blocking the reply tcp traffic despite my rule set allowing everything.

I don't really have a choice with the double nat. I need to figure out how my new TV/internet works and how it communicates before I start messing around with ISP provided equipment and taking that router out of the picture. Though I wonder if I can just put my firewall on the DMZ?
 
Last edited:

twistacatz

Limp Gawd
Joined
Jan 3, 2005
Messages
182
Coulda bought more licenses.

I went the ovpn appliance route because it replaced my ASA which was just sitting there doing VPN behind the router wasting power. My esxi box is already so there's no more power draw than before the VM was on there. I'm quite happy with it so far and made $400 on my ASA that I payed $150 for lol.

By default ASAs only come with 2 ssl licenses as well.

Yeah trust me I considered everything you mentioned. The high cost and especially the power consumption were definitely downers. However the Juniper SA is more then I can ask for in regards to functionally and client availability. If things change I'll make the switch.

I don't like ongoing subscription cost for openvpn. I bought the SA with 10 user licenses.
 

TCM

Gawd
Joined
Nov 10, 2011
Messages
641
Just need to figure out why pfsense keeps blocking the reply tcp traffic despite my rule set allowing everything.

How about you finally take out tcpdump and look on both of PFsense's interfaces? Also add a log statement to all your blocking rules and see if it actually gets blocked which I doubt. If the initial packet makes it to your VPN server, all replies should match the state.

Where do you actually draw the conclusion that reply packets are getting blocked if you don't look?

I don't like ongoing subscription cost for openvpn.
Then don't pay? OpenVPN is free!?

Seriously, this thread..
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
How about you finally take out tcpdump and look on both of PFsense's interfaces? Also add a log statement to all your blocking rules and see if it actually gets blocked which I doubt. If the initial packet makes it to your VPN server, all replies should match the state.

Where do you actually draw the conclusion that reply packets are getting blocked if you don't look?

There are NO blocking rules on the main vlan. I even posted a screenshot. There is too much traffic to try sifting through tcp dumps, I was looking at the logs.



This is the BGE_vlan2 interface rules:




10.1.1.10 is a local HTTP server, note that it is the SOURCE.
10.2.1.6 is the VPN client.

The packet from the VPN client to the server does not get dropped, but the one coming back does. It's only doing this for TCP traffic (maybe UDP, I'm not sure) but ICMP works. If I ping, I do get a reply.

From the VPN client I can surf the internet fine, it's only local stuff I can't seem to access.

This is for the existing server setup. I gave up trying to make it work in pfsense for now. I have a feeling this is going to be a simpler fix if I can just know what I have to do to fix it.

I CAN connect to the VPN server itself and the firewall itself, but anything else local does not work.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
In what way is it awful? It only has 2 rules, technically 1.

Code:
set limit tables 3000
set optimization normal
set limit states 50000
set limit src-nodes 50000

#System aliases
  
loopback = "{ lo0 }"
WAN = "{ bge1 }"
VLAN2MAIN = "{ bge0_vlan2 }"
VLAN3WIFIPRIVATE = "{ bge0_vlan3 }"
VLAN4WIFIPUBLIC = "{ bge0_vlan4 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>

table <virusprot>

# User Aliases 
table <aovdev1> {   ****** /32 } 
aovdev1 = "<aovdev1>"
table <borg_imap> {   10.11.10.10 } 
borg_imap = "<borg_imap>"
table <borgssh> {   ****** /32 ****** /32  ****** /32  ****** /32 } 
borgssh = "<borgssh>"
table <Envirostate> {  ****** /32 } 
Envirostate = "<Envirostate>"
table <localrange> {   10.0.0.0/8  192.168.0.0/24 } 
localrange = "<localrange>"
table <pandora> {   ****** /32 } 
pandora = "<pandora>"
table <terraria> {   ****** /32  ****** /32  ****** /32 } 
terraria = "<terraria>"
table <vpn> {   ****** /32  ****** /32  ****** /32  ****** /32 } 
vpn = "<vpn>"
table <YoutubeFix> {   173.194.55.0/24 } 
YoutubeFix = "<YoutubeFix>"
 
# Gateways
GWGW_WAN = " route-to ( bge1 192.168.2.1 ) "
GWSROUTE0 = "  "

 
set loginterface bge1

set skip on pfsync0

scrub on $WAN all    fragment reassemble
scrub on $VLAN2MAIN all    fragment reassemble
scrub on $VLAN3WIFIPRIVATE all    fragment reassemble
scrub on $VLAN4WIFIPUBLIC all    fragment reassemble


no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"


# Outbound NAT rules

# Subnets to NAT 
table <tonatsubnets> { 10.2.1.0/24 10.1.0.0/16 10.11.10.0/24 10.11.11.0/24 10.1.0.0/24 127.0.0.0/8  }
nat on $WAN  from <tonatsubnets> port 500 to any port 500 -> 192.168.2.100/32 port 500  
nat on $WAN  from <tonatsubnets> to any -> 192.168.2.100/32 port 1024:65535  


# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <vpn_networks> { 10.1.0.0/24 }
table <negate_networks> { 192.168.2.0/24 10.1.0.0/16 10.11.10.0/24 10.11.11.0/24 10.2.1.0/24  10.1.0.0/24 }
# NAT Inbound Redirects
rdr on bge1 proto tcp from any to 192.168.2.100 port 25565 -> 10.1.1.14
# Reflection redirects
rdr on { bge0_vlan2 bge0_vlan3 bge0_vlan4 openvpn } proto tcp from any to 192.168.2.100 port 25565 tag PFREFLECT -> 127.0.0.1 port 19000

rdr on bge1 proto tcp from any to 192.168.2.100 port 9000 -> 10.1.1.3
# Reflection redirects
rdr on { bge0_vlan2 bge0_vlan3 bge0_vlan4 openvpn } proto tcp from any to 192.168.2.100 port 9000 tag PFREFLECT -> 127.0.0.1 port 19001

rdr on bge1 proto tcp from any to 192.168.2.100 port 7881:7889 -> 10.1.1.22
# Reflection redirects
rdr on { bge0_vlan2 bge0_vlan3 bge0_vlan4 openvpn } proto tcp from any to 192.168.2.100 port 7881:7889 tag PFREFLECT -> 127.0.0.1 port 19002:19010

rdr on bge1 proto tcp from any to 192.168.2.100 port 443 -> 10.1.1.3 port 22
# Reflection redirects
rdr on { bge0_vlan2 bge0_vlan3 bge0_vlan4 openvpn } proto tcp from any to 192.168.2.100 port 443 tag PFREFLECT -> 127.0.0.1 port 19011

rdr on bge1 proto udp from any to 192.168.2.100 port 25025 -> 10.1.1.15
# Reflection redirects
rdr on { bge0_vlan2 bge0_vlan3 bge0_vlan4 openvpn } proto udp from any to 192.168.2.100 port 25025 tag PFREFLECT -> 127.0.0.1 port 19012

# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# Block all IPv6
block in quick inet6 all
block out quick inet6 all

# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webConfiguratorlockout> to any port 443 label "webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
table <bogons> persist file "/etc/bogons"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any label "block bogon networks from WAN"
antispoof for bge1
# allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for bge0_vlan2
# allow access to DHCP server on VLAN2MAIN
pass in quick on $VLAN2MAIN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $VLAN2MAIN proto udp from any port = 68 to 10.1.1.1 port = 67 label "allow access to DHCP server"
pass out quick on $VLAN2MAIN proto udp from 10.1.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for bge0_vlan3
# allow access to DHCP server on VLAN3WIFIPRIVATE
pass in quick on $VLAN3WIFIPRIVATE proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $VLAN3WIFIPRIVATE proto udp from any port = 68 to 10.11.10.1 port = 67 label "allow access to DHCP server"
pass out quick on $VLAN3WIFIPRIVATE proto udp from 10.11.10.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for bge0_vlan4
# allow access to DHCP server on VLAN4WIFIPUBLIC
pass in quick on $VLAN4WIFIPUBLIC proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $VLAN4WIFIPUBLIC proto udp from any port = 68 to 10.11.11.1 port = 67 label "allow access to DHCP server"
pass out quick on $VLAN4WIFIPUBLIC proto udp from 10.11.11.1 port = 67 to any port = 68 label "allow access to DHCP server"

# loopback
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( bge1 192.168.2.1 ) from 192.168.2.100 to !192.168.2.0/24 keep state allow-opts label "let out anything from firewall host itself"
# NAT Reflection rules
pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"

# User-defined rules follow

anchor "userrules/*"
block return  in  quick  on $WAN reply-to ( bge1 192.168.2.1 )  from   $YoutubeFix to any  label "USER_RULE: Youtube fix (rx)"
pass  in  quick  on $WAN reply-to ( bge1 192.168.2.1 )  proto tcp  from   $terraria to   10.1.2.11 port 7777  flags S/SA keep state  label "USER_RULE: NAT Terraria"
pass  in  quick  on $WAN reply-to ( bge1 192.168.2.1 )  proto udp  from   $vpn to   10.1.1.15 port 25025  keep state  label "USER_RULE: NAT VPN SRV"
pass  in  quick  on $WAN reply-to ( bge1 192.168.2.1 )  proto tcp  from   $vpn to   10.1.1.3 port 22  flags S/SA keep state  label "USER_RULE: NAT Hal9000 SSH"
pass  in  quick  on $WAN reply-to ( bge1 192.168.2.1 )  proto tcp  from   $Envirostate to   10.1.1.3 port 9000  flags S/SA keep state  label "USER_RULE: NAT Envirostate Server"
pass  in  quick  on $WAN reply-to ( bge1 192.168.2.1 )  proto tcp  from   $terraria to   10.1.1.14 port 25565  flags S/SA keep state  label "USER_RULE: NAT Minecraft"
pass  in  quick  on $WAN reply-to ( bge1 192.168.2.1 )  proto tcp  from any to   10.1.1.22 port 7880 >< 7890  flags S/SA keep state  label "USER_RULE: P2P Torrents"
pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: Auto added OpenVPN rule from config upgrade."
pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN Open VPN 1 wizard"
pass  in  quick  on $VLAN2MAIN  from any to 10.1.1.1 keep state  label "USER_RULE: Antilockout rule - do not delete, leave on top"
pass  in  quick  on $VLAN2MAIN  from any to any keep state  label "USER_RULE: Internet"
pass  in  quick  on $VLAN3WIFIPRIVATE  from any to 10.11.10.1 keep state  label "USER_RULE: Antilockout rule - do not delete, leave on top "
pass  in  quick  on $VLAN3WIFIPRIVATE  proto { tcp udp }  from any to   10.1.1.10 port 53  keep state  label "USER_RULE: DNS"
pass  in  quick  on $VLAN3WIFIPRIVATE  proto { tcp udp }  from any to   10.1.1.3 port 80  keep state  label "USER_RULE: Hal9000"
pass  in  quick  on $VLAN3WIFIPRIVATE  proto tcp  from any to   10.1.1.22 port 80  flags S/SA keep state  label "USER_RULE: p2p web"
pass  in  quick  on $VLAN3WIFIPRIVATE  proto tcp  from any to   10.1.1.22 port 9091  flags S/SA keep state  label "USER_RULE: p2p web"
pass  in  quick  on $VLAN3WIFIPRIVATE  proto tcp  from any to   10.1.2.10 port 10000  flags S/SA keep state  label "USER_RULE: Port 10000, for misc.  iperf etc"
block  in  quick  on $VLAN3WIFIPRIVATE  from any to   $localrange  label "USER_RULE: Local range"
pass  in  quick  on $VLAN3WIFIPRIVATE  from any to any keep state  label "USER_RULE: Internet"
block  in  quick  on $VLAN4WIFIPUBLIC  from any to   $localrange  label "USER_RULE: Deny LAN"
pass  in  quick  on $VLAN4WIFIPUBLIC  proto tcp  from any to any port 79 >< 444  flags S/SA keep state  label "USER_RULE: Internet - http"
pass  in  quick  on $VLAN4WIFIPUBLIC  proto { tcp udp }  from any to any port 53  keep state  label "USER_RULE: Internet - dns"
pass  in  quick  on $VLAN4WIFIPUBLIC  proto { tcp udp }  from any to any port 109 >< 996  keep state  label "USER_RULE: Internet - pop3"
pass  in  quick  on $VLAN4WIFIPUBLIC  proto { tcp udp }  from any to any port 142 >< 994  keep state  label "USER_RULE: Internet - imap"
pass  in  quick  on $VLAN4WIFIPUBLIC  proto { tcp udp }  from any to 10.11.11.1 port 53  keep state  label "USER_RULE: Gateway DNS"

# VPN Rules
anchor "tftp-proxy/*"
 
Top