OpenVPN config files not working

[John Driessen]

Hi,

I have installed PfSense as a VM on Proxmox with 2 vmbr's. (By the way my machine is only equipped with one physical NIC.)
The gateway of the router is at 192.168.x.1. Proxmox has an IP of 192.168.x.21, my PfSense VM has a IP address of 192.168.x.70. (Which is set as the WAN IP of vmbr0)
The LAN IP range has been defined as 192.168.y.0/24 within PfSense an attached to vmbr1. (The VM's on the PfSense-LAN have 192.168.y.1 as gateway).
VM's on the y-net LAN can reach the internet.
My public IP address is a.b.c.d.
I have now configured an OpenVPN server in PfSense (via tab VPN -> OpenVPN). The CA,, server certificate and a user certifcatehave been created).
The tunnel network has been set-up as 192.168.z.0/24 and was not already in use.
With the VPN connection I want to reach (from remote) the 192.168.y.0/24 addresses. (Later on I want to add probably some 192.168.x.0/24 IPs)
I have exported the ovpn file via the VPN Client Export add-on in PfSense.
I tried to use the ovpn file on my mobile phone by importing it in the OpenVPN client.
But the connection cannot be established since the VPN wants to connect to the 192.168.x.70 IP address which is not my public IP.
Changing in the ovpn the "remote" statement to my public ip also does not work. (which I expected by the way)
Can someone tell me how I should configure OpenVPN correctly within PfSense to accomplish what I want.
Your help is appreciated!

 

[Lorenz.S]

Hello,

Without a network diagram it's a bit hard to wrap ones head around it, but have you thought of configuring a port forward at your public ip to the PFsense VM?

 

[John Driessen]

Hi,

I have attached a view on (a part of) my network map.
A port forward is needed indeed when trying to connect from outside. The problem in the first place is the fact the local WAN ip address 192.168.x.70 is not known on the internet, but a.b.c.d is.

 

[John Driessen]

internet router                                                                                           PC with Proxmox host         VMs (on "x")
public ip: a.b.c.d.     ===> Powerline adapter connected to router ===> Powerline adapter 2 ===> HUB ==>  192.168.x.21           ===>  192.168.x.50+
gateway 192.168.x.1     |                                                                            |    NIC enp1s0             |     on vmbr0
network: 192.168.x.0/24 |                                                                            |    (vmbr0)                |
(home)                  |                                                                            |                           |
                        |                                                                            |                           |                                                
                        |                                                                            |                           |      VM PfSense ("WAN")         VM PfSense ("LAN")            VMs (on "y")
                        |                                                                            |                           ===>   192.168.x.70         ===>  192.168.y.1 (gateway)   ===>  192.168.y.50+
                        |                                                                            |                                  vmbr0                      vmbr1                         vmbr1
                        |                                                                            |                                                             network: 192.168.y.0/24
                        |                                                                            |    Other PCs / Laptops
                        |                                                                            ===> 192.168.x.22+
                        |
                        |     Wifi via Router        Mobile phones
                        ===>  SSID             ===>  192.168.x.30+
                                               |
                                               |
                                               ===>  Wifi Devices / Laptops
                                                     192.168.x.40+

 

[Lorenz.S]

Thanks, this makes much more sense to me now

By "port forward" I mean [a.b.c.d]:1194 -> [192.168.x.70]:1194 on your internet router. So it would be possible to connect via [a.b.c.d]:1194 from outside and probably also from inside.

 

[John Driessen]

Hi Lorenz,

I already have a working separate VM running OpenVPN for which I indeed do a portforward of 1194 from a.b.c.d. to 192.168.x.6 (the IP of the OpenVPN-VM).
I however want to change from a separately running VM to the build-in PfSense OpenVPN.
The problem is in the configuration of PfSense-OpenVPN tabs. The external IP that is entered in the ovpn config-file by PfSense Client export is 192.168.x.70 (which is not a.b.c.d.). Therefore from outside I cannot reach the PfSense-VPN from outside (by the way I configured a different port for this VPN, say 1195). The portforward off 1195 has been defined as well.
So my question is in fact where in the PfSense OpenVPN configuration should I state the a.b.c.d, since this is reachable from the outside.

 

[Lorenz.S]

Oh... there was a small misunderstanding

The simplest (and possibly only?) solution would be to edit the remote <host> <port> statement in the exported client configuration file to match your needs. I don't think, that this is possible in the pfSense OpenVPN config, but who knows.

Regarding the OpenVPN client/server config, there is plenty of information online, e.g. the official reference manual

 

[John Driessen]

In my original post I stated I already tried that , but no luck.
I will check the official reference manual, I might find a solution there. Thx!