Pfsense and openvpn remote management setup help.

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Oldhome7

Member
Feb 9, 2020
71
23
8
I've been attempting to setup openvpn on my pfsense box and while I've managed to get far enough to connect and use it for browsing, I cannot seem to access the pfsense router or the ipmi for the media server. Normally I use TeamViewer to access the media server and do whatever needs done on the network from there but today the wife informed me that the media server locked up while I'm at work and I obviously cannot access TeamViewer or ipmi to reset it.

Can somebody point me in the right direction to a guide or something? Like I said, I'm currently at work so I can't get all the settings I have right now but hopefully we can get the ball rolling and I can dig into it when I get home.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Assuming you are able to connect to the VPN, there are usually two things you need to ensure is configured correctly.

  1. The VPN needs to be made aware of what networks/devices it can provide access to, that is (for ipv4 ofc) configured through "ipv4 local networks" (you find this within the VPN's configuration). This *should* ensure that your client device is provided with a route to these network segments via the VPN.
  2. Firewall rules, you should have have a tab for the VPN, this needs to be configured to allow access to the network segments you want access to.
 

Oldhome7

Member
Feb 9, 2020
71
23
8
1. Under the VPN server settings the tunnel network is 10.8.0.0/24, local network is 192.168.1.0/24. The LAN is under 192.168.1.0/24 as well.

2. The firewall rules are the ones that are the ones that were created when I setup OpenVPN with the wizard.
WAN rule of IPv4 UDP, Source ANY, Port ANY, Destination WAN, Port OpenVPN port
OpenVPN rule of IPv4 and ANY across the board.

Is there another rule I'm missing?

Edit: I originally had the tunnel network as 192.168.2.0/24 and also tried 1.0/24 as well before reading that a subnet overlap could potentially cause issues so that's why I changed it to the current 10.8.0.0/24
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Assuming what you want to reach is in the 192.168.1.0/24 segment, that part should be fine.

In terms of firewall rules, assuming of course I am reading you correctly, it sounds like you are missing rules in the OpenVPN network segment.
In the firewall rules configuration page, you should have a tab called OpenVPN, where you will need to configure rules that allow access from the OpenVPN network (tunnel network) to the services you need access to.

In firewall rules, you should have at least 4 tabs, "Floating", "WAN", "LAN" and "OpenVPN", you can use the following screenshot I found online as reference (it also has OPT1 and OPT2, you may not have those):

If this does not explain it, you should consider taking and posting some screenshots of your configuration.
 

Oldhome7

Member
Feb 9, 2020
71
23
8
I realize now that the formatting of my previous post came out weird.

I have a rule on the WAN tab for IPv4 UDP, Source: ANY, Port: ANY, Destination: WAN, Port: my OpenVPN port

I also have a rule on the OpenVPN tab for IPv4 and ANY across the board.

Those seem to match the screenshots I've seen in many of the guides I've read to setup OpenVPN.

Yes my pfsense box and my ipmi are both in the 192.168.1.x subnet.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Fair enough.

In that case, I would look to ensure two things.
  1. The client should have a route defined for the 192.168.1.0/24 segment, that goes via the OpenVPN interface when connected.
  2. This is a bit of guesswork, but if you have defined a gateway for the "allow all" rule on the OpenVPN tab, it might cause issues
    1. If this is the case, you may want to define a specific rule with higher priority, that allows access to the 192.168.1.0/24 segment (or just the servers you want access to), without defining a gateway within the rule of course :)
 

Oldhome7

Member
Feb 9, 2020
71
23
8
1. I'm not sure on how to define a route or even check if there is one.

2. I've attached a screenshot of the OpenVPN rule and the only part about gateway that I see is set to default, the only other option is WAN_DHCP Gateway
Screenshot_20210527-023406.jpg
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
The firewall rule looks correct.

Your OpenVPN client should configure a route when it connects, however I am unsure if is done by protocol or the connection configuration file.

Which leads me to ask, have you installed the package openvpn-client-export in your pfsense?
It is used to generate connection profiles for your users that you can use with OpenVPN or import if you have software that supports that.
So if you have not installed that, do that, download a profile for the user and use that.

In terms of how to determine if there is a route, it depends on the OS, on most linux OS' you can do "ip route" on windows a quick search suggests that "route print" will do the trick.

Another thing that may cause issues, is if the network you are using remotely overlaps with your VPN and home network ranges.
Wait, do I need this redirect ipv4 one checked?
View attachment 18782
No, this should not be necessary.
 

Oldhome7

Member
Feb 9, 2020
71
23
8
I do have the export package installed and did use it when I installed OpenVPN on my Android phone. For general use, external addresses and such, it works just fine, it's when I try to point it internally that it doesn't work.

I did just check the status on my phone and the IP address of the mobile network seems to say 192.0.0.2.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
So... given that it sounds like the OpenVPN client on your phone, appears to pull all traffic through the VPN, and I am not seeing anything in the OpenVPN configuration (but I could be missing it) that indicates that it is configured to pull all traffic through the VPN (possibly overriding configuration from profile file), I have a feeling that you may need to look into the configuration of your VPN client.

But before that, it may be a good idea to do a sanity check, I suggest you try from a computer (I would use Linux, since OpenVPN should be in repo and thus easy to install).