PiVPN behind OPNsense

Started by seki, November 18, 2021, 01:17:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 18, 2021, 01:17:55 PM
Hi Lovely People!

Please enlighten (or drag away) me from the following idea.

I would like to set up a PiVPN on my RPi4B.8 and it would be placed behind OPNsense. Something like that:

ISP router ---> OPNsense ---> Cisco switch ---> RPi with PiVPN


Is it possible? Is it actually worth it? If yes then can someone enlighten me and provide me some keywords that I can search in Google cause when I use "PiVPN" or "VPN" along with OPNsense or pfSense I get lots of tutorials that are guiding me through installation and stuff like that. I already done that. The problem is that it seems that I can't reach my PiVPN from outside. Maybe I'm doing something wrong?

Now... For those that ask me why I did not set up OpenVPN on OPNsense.
Well I would like to add a few things on this PiVPN machine and I want to keep my OPN clean and light as much as possible.

November 18, 2021, 01:45:13 PM #1
Hi!

Do you have a public IP on WAN of the opnsense? So is the provider router bridged?

What do you want to achieve? Mobile phones and/or other mobile devices can connect to your pi? Or connect the pi to another VPN server (other location)?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 18, 2021, 01:50:53 PM #2
Hi chemlud and thank you for your response.

My ISP router has one particular IP set as DMZ and that DMZed IP is my OPNsense's WAN IP. Plus I have CFlare set up as my DynDNS service (see attached screen)


Yes I want to be able to connect from all over the world using OpenVPN App/Client to my PiVPN inside house to grab some data from my NAS at home.
November 18, 2021, 02:00:19 PM #3 Last Edit: November 18, 2021, 02:04:23 PM by chemlud
Do you have a port forward from the WAN of ISP router to the opnsense? Or are all ports of the opnsense exposed (DMZ)?

Do you have a FW rule in place on WAN of the opnsense for the port/protocol of choice for your tunnel?

Have you configured openVPN or wireguard on the pi?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 18, 2021, 02:17:55 PM #4
For the time being I have just one rule on WAN interface:

Proto: IPv4
Source/Dest/Port/anything else: *

I'll narrow this rule later once I set it up.


As for ISP router DMZ exposes everything, even ports. This devices is basically naked to the world. However I've set up port forwarding for VPN access (1195 - yes, it's not 1194):

Inside port: 1195
Outside: port: 1195
Proto: TCP/UDP
Device: 192.168.5.200 (the IP of OPNsense WAN link that is DMZed)
November 18, 2021, 02:52:35 PM #5 Last Edit: November 18, 2021, 02:54:31 PM by chemlud
1195, so it's openVPN?

Port forward for 1195 on opnsense to IP of the pi?

What do you see on the client? What's in the logs of your pi?

Start a package capture on the WAN of your opnsense port 1195 for ipv4 and see if anything arrives there...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 18, 2021, 03:15:15 PM #6
Yes. PiVPN is OpenVPN based.

Port forward done on WAN interface that redirects to PiVPN's IP at port 1195

On the client side I do get timeouts not sure where I should put my focus. Whether it's ISP's router or OPNsense

Code Select
15:04:28.828 -- Connecting to [vpn.xxxxx.it]:1195 (8x.xxx.xxx.182) via UDPv4
15:04:38.798 -- Server poll timeout, trying next remote entry...
15:04:38.798 -- EVENT: RECONNECTING
15:04:38.800 -- EVENT: RESOLVE
15:04:38.808 -- Contacting 8x.xxx.xxx.182:1195 via UDP
15:04:38.808 -- EVENT: WAIT
15:04:38.811 -- Connecting to [vpn.xxxxx.it]:1195 (8x.xxx.xxx.182) via UDPv4
15:04:48.801 -- Server poll timeout, trying next remote entry...


And yes - vpn.xxxxx.it is a CNAME in Cloudflare DNS that points to fw.xxxx.it which is dynamically updated by DynDNS client on OPNsense
November 18, 2021, 03:20:31 PM #7
Do a package capture on WAN for port 1195... It's under Interfaces -> Diagnostics
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 18, 2021, 03:29:06 PM #8
Looks like it's grabbing something.

The IP 8x.xxx.xxx.182 is my actual public IP



WAN
re0   15:24:16.042842 IP 8x.xxx.xxx.182.43069 > 192.168.5.200.1195: UDP, length 54
WAN
re0   15:24:17.014133 IP 8x.xxx.xxx.182.43069 > 192.168.5.200.1195: UDP, length 54
WAN
re0   15:24:18.019354 IP 8x.xxx.xxx.182.43069 > 192.168.5.200.1195: UDP, length 54

The packet capture on the LAN interface is empty though
November 18, 2021, 03:35:55 PM #9 Last Edit: November 18, 2021, 03:52:09 PM by seki
chemlud!

As usual I've done something stupid... This time I screwed up Port Forward. The source interface was not WAN but LAN :(

I apologize for my stupidity but your troubleshooting session was very helpful and now I know more how to dig for more when t-shooting cases like this.
Print
Go Up Pages1
User actions