Hi Lovely People!
Please enlighten (or drag away) me from the following idea.
I would like to set up a PiVPN on my RPi4B.8 and it would be placed behind OPNsense. Something like that:
ISP router ---> OPNsense ---> Cisco switch ---> RPi with PiVPN
Is it possible? Is it actually worth it? If yes then can someone enlighten me and provide me some keywords that I can search in Google cause when I use "PiVPN" or "VPN" along with OPNsense or pfSense I get lots of tutorials that are guiding me through installation and stuff like that. I already done that. The problem is that it seems that I can't reach my PiVPN from outside. Maybe I'm doing something wrong?
Now... For those that ask me why I did not set up OpenVPN on OPNsense.
Well I would like to add a few things on this PiVPN machine and I want to keep my OPN clean and light as much as possible.
Hi!
Do you have a public IP on WAN of the opnsense? So is the provider router bridged?
What do you want to achieve? Mobile phones and/or other mobile devices can connect to your pi? Or connect the pi to another VPN server (other location)?
Hi chemlud and thank you for your response.
My ISP router has one particular IP set as DMZ and that DMZed IP is my OPNsense's WAN IP. Plus I have CFlare set up as my DynDNS service (see attached screen)
Yes I want to be able to connect from all over the world using OpenVPN App/Client to my PiVPN inside house to grab some data from my NAS at home.
Do you have a port forward from the WAN of ISP router to the opnsense? Or are all ports of the opnsense exposed (DMZ)?
Do you have a FW rule in place on WAN of the opnsense for the port/protocol of choice for your tunnel?
Have you configured openVPN or wireguard on the pi?
For the time being I have just one rule on WAN interface:
Proto: IPv4
Source/Dest/Port/anything else: *
I'll narrow this rule later once I set it up.
As for ISP router DMZ exposes everything, even ports. This devices is basically naked to the world. However I've set up port forwarding for VPN access (1195 - yes, it's not 1194):
Inside port: 1195
Outside: port: 1195
Proto: TCP/UDP
Device: 192.168.5.200 (the IP of OPNsense WAN link that is DMZed)
1195, so it's openVPN?
Port forward for 1195 on opnsense to IP of the pi?
What do you see on the client? What's in the logs of your pi?
Start a package capture on the WAN of your opnsense port 1195 for ipv4 and see if anything arrives there...
Yes. PiVPN is OpenVPN based.
Port forward done on WAN interface that redirects to PiVPN's IP at port 1195
On the client side I do get timeouts not sure where I should put my focus. Whether it's ISP's router or OPNsense
15:04:28.828 -- Connecting to [vpn.xxxxx.it]:1195 (8x.xxx.xxx.182) via UDPv4
15:04:38.798 -- Server poll timeout, trying next remote entry...
15:04:38.798 -- EVENT: RECONNECTING
15:04:38.800 -- EVENT: RESOLVE
15:04:38.808 -- Contacting 8x.xxx.xxx.182:1195 via UDP
15:04:38.808 -- EVENT: WAIT
15:04:38.811 -- Connecting to [vpn.xxxxx.it]:1195 (8x.xxx.xxx.182) via UDPv4
15:04:48.801 -- Server poll timeout, trying next remote entry...
And yes - vpn.xxxxx.it is a CNAME in Cloudflare DNS that points to fw.xxxx.it which is dynamically updated by DynDNS client on OPNsense
Do a package capture on WAN for port 1195... It's under Interfaces -> Diagnostics
Looks like it's grabbing something.
The IP 8x.xxx.xxx.182 is my actual public IP
WAN
re0 15:24:16.042842 IP 8x.xxx.xxx.182.43069 > 192.168.5.200.1195: UDP, length 54
WAN
re0 15:24:17.014133 IP 8x.xxx.xxx.182.43069 > 192.168.5.200.1195: UDP, length 54
WAN
re0 15:24:18.019354 IP 8x.xxx.xxx.182.43069 > 192.168.5.200.1195: UDP, length 54 |
The packet capture on the LAN interface is empty though
chemlud!
As usual I've done something stupid... This time I screwed up Port Forward. The source interface was not WAN but LAN :(
I apologize for my stupidity but your troubleshooting session was very helpful and now I know more how to dig for more when t-shooting cases like this.