OVPN not working outside from mobile

error still there even if i put MTU 1300 in both Global settings and .ovpn.
I’m proceeding going down with MTU

check if you can ping IPFire and NAS first, you might need to push your OpenVPN subnet and possibly other subnets if you use them, like the blue or the orange. Green should not need to be included in the push option. Do not forget to restart the server.

the strange thing is…
I can ping:
red (192.168.1.200)
green (192.168.2.1) but not the NAS (192.168.2.130). Same subnet…

In addition… VPN Connection is not stable… and after a ping from termius get disconnected for a while.

After openvpn connection, no additional rule is needed to open the WUI from the green side.

obraz

ok i delete the rule and try again

Try to push the openvpn subnet

Just to be sure, do a reboot.

Do you have additional firewall rules?
What is your OpenVPN subnet ?

Hi again
status at today:

  1. Disconnection → SOLVED. I changed the KeepAlive to 600-1800 and installed the OpenVPN for Android.
  2. IPF restarted
  3. Push to 10.25.178.0/255.255.255.0 (openVPN subnet)
  4. I have different rules in place, but the relevant, is the one for NAS:
    source. STD network Any
    DNAT. automatically
    Destination: 192.168.2.130 port 4443
  5. I can ping all (RED, Green, NAS)

I can’t enter in WEBUI (444) or in NAS(4443)
My feeling is is that I missed something.

Another question. how can i check the VPN trafic arriving in IPfire?
thx
vincenzo

This rule has no reason to be there unless you want ssh to your nas from the red interface. If you have OpenVPN, you want to get rid this rule. You connect to OpenVPN and then you ssh to the nas. It is way more secure.

The only firewall rule you need is on the fritzbox to do a DNAT of the traffic on port 1194 to the IPFire machine.

All the traffic visible to the kernel can be monitored in real time by tail -f /var/log/messages, ctrl-c to exit.

1 Like

very good! NAS is now reachable… THX!
what about the WEBUI (444) then?

same as for NAS? because up to now I have a rule:
source: std netw. Any
destination. green
TCP 444

Yes, also that one is unnecessary.

OK

Thanks a lot for your support!
All the best
Vincenzo

Hi

again me…
I got rid about 99% of my FW rules using the openVPN. That’s good.
What I can’t understand is accessing the Ipfire Webui (port 444).
I still login to the page using the RED address and without VPN from the LAN.
I mean:
In the FritzBox → No rule except for the port forwarding to 1194 (VPN)
In Ipfire… for the moment only port 222 for SSH.

what happens:
from red without VPN: works → NOT OK
from green without VPN: don’t works → OK

from red with VPN: works → NOT OK
from green with VPN: works → OK

How can I get rid of access from RED?
thx
Vincenzo

I don’t know why… but now, after an ipfire reboot… it works as expected.