I set up openvpn yesterday finally. I am using no-ip dyndns to forward to pfsense. All traffic is tunneled through the OpenVPN connection. Everything has been simple except for the fact i cant log into Pfsense or Unifi. I have no issues connecting to any other ssl/tls connection. Both of those connections are timing out. I am able to ping both, and ssh into both.
I checked Pfsense firewall log to see if I am being blocked, but it doesn’t look like it is. What am I missing?
Have you added the OpenVPN instance as an interface in pfSense and then added a rule to allow traffic from that interface to pfSense GUI / Unifi server?
yes the openvpn wizzard adds the interface and the wan rule. i added rules to allow it to access the network they are both on
Have you confirmed that your client’s traffic is, in fact, routed through the VPN? E.g., check the route table on the client and/or add a “Pass everything” rule on the OpenVPN interface, enable logging for that rule and check if any logs show up.
the pass everything has to be working or else i wouldnt be able to ssh into them i would think.
Yeah, that is a fair point.
Sounds like you don’t have a rule on the OpenVPN interface that allows access to the port on the interface that pfsense is on.
The way I’ve set up pfsense is to create my port alias, added 80, then allow a rule for ports on the OpenVPN interface.
Except when I asked about this, he said that such a rule exists.
@Kalifornia909 just for good measure, can you post a screenshot of the rule on the OpenVPN interface that supposedly allows access to the pfSense GUI?
Also, by default, the pfSense GUI web server listens on all interfaces AFAIK.
I don’t think that is the case, I thought by default you can access by the LAN only.
If you setup a vlan unless that auto-lockout rule appears you won’t be able to access the GUI with no rules either, so I would think a rule will control access over anything except the LAN.
There are other rules that control access to the GUI. However, while I have the LAN I don’t use it for anything I’ve set up vlans etc.
I have my alias for ports that includes 443 which my pfsense is on. That same rule is for TCP/UDP traffic. If I disable that rule then I’m fairly sure I wouldn’t be able to access the GUI (though I’ve not tested it). I would add, that I added all my own rules, those auto added rules are not always clear to me.
I am with you 100% that without a rule that specifically allows access to the pfSense GUI, you can’t acces it since the default behavior is to block everythgin. However, an “Allow all” rule covers that. If you have an “Allow all” rule on any interface, you can access the pfSense GUI from that network - no matter which of the pfSense’s IP addresses you use.
Ah ok, I didn’t consider that, perhaps I do things the long way, I found it pretty tough to work out what was happening in pfsense when I first set it up. Doing it step by step was slow but I believe / hope my setup is optimal and secure.
@Kalifornia909 can just try that, if it works I would suggest refine the rule down so only 443/80 is open. However, it might be ok to leave it if OpenVPN is setup securely, depends on levels of paranoia.
ill check the rules again, and if it was just the pfsense gui it would make a lot more sense. The fact that it is pfsence and unfi is what makes me think otherwise. They are different IP’s on the same network segment.
That confirms it ! If you are on https you need to allow your OpenVPN traffic over TCP/UDP to access port 443. @paolo is right if you have an allow all rule that should work too. Take your pick.
The rule has to be on your OpenVPN interface.
Just to clarify, I am not advising to use an “allow all” rule permanently, but it is an easy check to see if the problem is related to firewall rules or something else entirely. I am all for having firewall rules as restrictive as possible.
after logging the firewall rules it looks like it is the outbound tls connection that isnt working. so from the firewall to the dyndns forwarder is why i cant connect.
I’m running out of ideas, if ICMP protocol gets through but https traffic doesn’t and it’s not a rule setting then I’m not sure …
i think it has something to do with ssl/tls but i have no idea how to fix it lol
Edit: nope its definitely a wan rule.
