Hi,
I have an old OpenVPN server created in pfSense. I'm trying to set up a port forward to this box in OPNsense, but somewhere something is going wrong. I can't seem to figure out what it is though.
What I've got:
I got the old config from my old (really old) firewall, basically this is a NAT rule and a routing rule
I already went over some of the posts here and I did the following:
Firewall > Settings > Advanced:
Reflection for port forwards Checked
Reflection for 1:1 unhecked
Automatic outbound NAT for Reflection Checked
firewall > NAT > port forward > add
Interface: WAN
TCP/IP Version: IPv4
Protocol: UDP
Destination: WAN address
Destination port range: from:Other 20096 to:other 20096
Redirect target IP: Alias:172.16.20.89
Redirect target port: Other 20096
Filter rule association add associated filter rule
System > gateways > single > add
pfSense_VPN LAN 172.16.20.89
System > routes > configuration > add
192.168.200.0/24 pfSense_VPN - 172.16.20.89
With this route set up, the forward rule and the associated firewall rule, I applied the settings and gave it a go. Unfortunately, OpenVPN tells me that 'TLS key nogotiation failed to occur within 60 seconds'.
I tried to do some packet capturing on both the OPNsens box as the pfSense box. On the OPNsense firewall I took UDP traffic to 172.16.20.89, and on the pfSense box I used WAN. On both interfaces I got the packets that I expected, and now I have no idea on what to do. I've attached the packet capture images to this post.
When I connect my laptop to the internal WiFi, I can get a connection to the VPN. Same thing when I repatch the WAN and LAN cables to the old firewall. Therefore, I think something is wrong with my port forward, but I have no idea what that is.
Thanks!
I think I've made a breakthrough in finding the cause.. Any help in finding a solution would be appreciated :)
With NAT the source address is kept. My OpenVPN server does not have an upstream gateway and can't connect back.
Is there any way to have OPNsense translate the source address to it's LAN address, and not breaking the connection?
Background
If I try to connect to the VPN from LAN, the packet source IP at the OpenVPN server is the LAN address of the OPNsense box. This is most likely as I connect to the public IP of OPNsense. When I connect from the WAN, the source ip is the public ip of my home. Simply put, NAT does it's job.
Unfortunately, the OpenVPN WAN interface, does not has an upstream gateway. This is a deliberate choice: people on the VPN are already connected to the internet, they don't need to send everything through the tunnel. This also means that OpenVPN has no idea on how to send a packet back to the public IP of my phone/laptop.
BTW: The old firewall, had some weird understanding of NAT and full cone NAT, it basically always replaced the source address with itself, which is very annoying for stuff like fail2ban