On Mon, 2011-12-12 at 12:20 +1300, Roger Searle wrote: > I've put a pfsense install on an alix box - some [0]nice gear from the > nice people at nicegear.co.nz - to replace an ipcop 1.4 box that was > approaching 10 years old. On the LAN I have a Lucid LTS box running > OpenVPN, previously I had UDP/1194 open on the IPCop box and on the DSL > router, and could connect nicely. > > I'm not clear how (or if) I can do similar port forwarding on pfsense, > seems to insist on on being the OpenVPN server itself if I choose 1194, > therefore use it's certificate manager etc, effectively leading to > abandoning a perfectly good OpenVPN service. > > Do others have an internal OpenVPN server working OK through pfsense? > Is the right approach to use a different port inside the DSL router, for > example, forward UDP/1194 from the internet to UDP/1195 on the pfsense > WAN address, have a pfsense WAN rule for UDP/1195 and NAT port forward > to the OpenVPN server's IP address, and have the server listen on 1195? > This is what I am trying without success so perhaps I am overlooking > something further or this is a bad approach, any feedback to resolve > this would be appreciated. Clients attempting to connect give this in > their log indicating the firewall blocking: > > Mon Dec 12 11:49:38 2011 TLS Error: TLS key negotiation failed to occur > within 60 seconds (check your network connectivity) > Mon Dec 12 11:49:38 2011 TLS Error: TLS handshake failed > > Regards > Roger > > [0]https://nicegear.co.nz/single-board-computers/pc-engines-alix-2d3/ >
I'm no pfsense expert, but I do know a fair bit about OpenVPN. It's only custom to run OpenVPN on 1194/UDP. In fact, if you're trying to game the system, you can pretend it's ssh traffic and run it on 22/TCP ( some network operators optimize that traffic ). There's no problem running it listening on 1195/TCP or any other port for that matter... in fact it's a necessity when running multiple services. That should stop pfsense taking over, although it does make some sense - and easier configuration - terminating it on the default route out of your local network... especially if connecting subnets. hth, Steve BTW. I'm not sure you plugged Hads and NiceGear enough in your post... -- Steve Holdoway BSc(Hons) MNZCS <[email protected]> http://www.greengecko.co.nz MSN: [email protected] Skype: sholdowa
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
