PFSense + Teardop (VPS) and OpenVPN

pete_c

Guru
I re-did my testing lab computer this morning.
 
The testing PFSense computer is a small footprint wall touchscreen with a dual NIC Jetway NF3A SBC and an added combo wireless bluetooth card.
 
Added an Atheros based dual BT / WLAN card which can be utilized as an AP.  With a second WLAN card I can make it a client to the CPE wireless interface.
 
Using a 32gb mSATA card for running PFSense.
 
Works fine with 2 x Realtek RTL8111G Gigabit LAN with Enhanced Surge Protection NICs.  I have upgraded it to 8Gb.
 
Making a wireless client on new test box lets me use the CPE wirelessly.  
 
Console shows:
 
 

*** Welcome to Netgate pfSense Plus 22.01-RELEASE (amd64) on pfSense-test ***

 WAN (wan)       -> re1        -> 
 LAN (lan)       -> re0        -> v4: 192.168.1.1/24
 WAP (opt1)      -> rtwn0_wlan0 -> 
 WLANCLIENT (opt2) -> iwm0_wlan0 -> v4/DHCP4: 192.168.0.2/29

WAN interface is off.
WAP interface is off for time bean.
 
Showing T-Mobile CPE connection.
 
My IP Information:
ISP: T-Mobile USA Inc.
City: Chicago
Region: Illinois
Country: United States
 
This will work with the Starlink wireless and T-Mobile CPE connection.
 
I have also here disabled the firewall on the CPE and can connect directly to the T-Mobile network this way (bridge) but I cannot get to the web GUI.  I do see the internet using the IP Pass Route mode.  Will connect the WAN interface to this to see how it works.
 
 
 
 

pete_c

Guru
Update - 18th of May, 2022
 
Connected laptop to CPE Ethernet Interface and it does connect to the Internet using "bridged" mode.  The laptop is only getting an IPv6 address but no IPv4 address.
 
If I do a "what is my IP?" on the internet it shows both an IPv4 and IPv6 address.  Wireless on CPE works fine to the bridged interface but only getting an IPv6 address.  Interesting as I have hair pinning on.  When I go the IPv4 address that I see on the WAN interface I get to the PFSense box.  I cannot get to the address via an outside internet connection (IE XFinity).
 
Figuring out how to get PFSense working with only an IPv6 address from the CPE.
 
Update - 2
 
Next test will be connecting Linux Laptop to the Oracle VPN Server via the bridged CPE using SLAAC.
 
Then later connecting the test PFSense OpenVPN client to the Oracle OpenVPN Server.
 
Update - 3
 
Disabled failover T-Mobile CPE gateway on production PFSense box.  
 
Update - 4
 
Plugged the laptop ethernet cable to the CPE with the enabled bridge mode.
 
Using my Linux laptop doing a "what is my IP?"
 
I only see that it detects an IPv6 address and no IPv4 address.
 
IPv6: ? 2607:xxxx
IPv4: ? Not detected
 
ISP: T-Mobile USA Inc.
City: Los Angeles
Region: California
Country: United States
 
I have OpenVPN server running on a few PFSense boxes.
 
Tried 3 boxes and I cannot log in to said boxes.
 
This worked  with the CPE not using bridge mode.
 
Tried the Oracle VPN server and could not connect with the CPE in bridge mode with only an IPv6 address.
 
Resetting the CPE to normal mode.
 
By default it comes up with an IPv4 Internet address and no IPv6 address.  I have to add IPv6 in the settings.  After a reboot see both IPv4 and IPv6 internet addresses in the CPE status.
 
Connected fine to the Oracle VPN server.
 
Today found out that if I use bridge mode on the CPE I only get an IPv6 address.  I can see the internet fine but cannot use the OpenVPN client.
 
Reading this tonight:
 
OpenVPN and ipV6
 
Next test...maybe tomorrow is two VPN client connections from different internet IP addresses.
 
I have IPv6 running on the PFSense boxes configured with OpenVPN server.  I did not configure the OpenVPN servers to use IPv6.
 

pete_c

Guru
Update 6th of June, 2022
 
Busted my T-Mobile SIM card in half and ordered and replaced it last week.  

Tested LTE modem bridge mode. It works except it is only working with IPv6 as I get no IPv4 WAN address.
 
Tested OpenVPN clients to Oracle OpenVPN server client to client network connectivity which works fine now.
 
Did a quickie overview drawing which will including routing tables et al soon.

Modded configuration of PFSense hardware to include a PFSense WAP and Client interface such that:

1 - hardware has 2 Gb NICs
2 - hardware has 1 WLAN client
2 - hardware has 1 BSD approved WAP / Bluetooth card (mini pcie)
 
[sharedmedia=gallery:images:1531]
 
 

Frunple

Active Member
If you're getting an IPv6 address, why are you still going through Oracle for the VPN?
CGNAT only uses IPv4. You should have total access to pfSense if it receives the public IPv6 address.
 

pete_c

Guru
I IPv6 address in T-Mobile and Starlink network and is dynamic and changes all of the time. (minutes and hours).
 
I cannot see the IPv6 address from the internet cuz it is only on T-Mobile's cloud.
 
I just wanted to test a direct bridged link to the WAN. The bridged link only shows an IPv6 address.
 
Interesting cuz it works with my laptop / PFSense directly connected to the bridged interface to the Internet.
 

JimS

Active Member
I didn't use my Oracle VPN server for a bit (a few weeks?) and they shut it down.  I still have the top level account but the OpenVPN server is gone and it's not at all clear how to set it up again.  And since I am past the 30 days of support I can't contact them to even check any details.  I haven't been able to find anything official stating the need for activity but pretty sure that's it.  They did send me an email before it was deleted but I used an email that I don't use for much and missed it.  Seems it might be easier to just start another account with a different email....
 
Glad to see cocoontech is back up.
 

pete_c

Guru
I got same emails and keep testing it with a variety of clients.  
 
Here configured my laptops running Windows 11 and laptops running Ubuntu and Android phones with the OpenVPN client to the Oracle OpenVPN server and keeps testing this way. 
 
Will be configuring the PFSense test box with the OpenVPN client in the next few days.    
 
Just logged in and it is working fine.  
What is my ip shows
 
Decimal: xxx
Hostname: 129.xxx
ASN: xxx
ISP: Oracle Corporation
Services: Datacenter
Assignment: Likely Static IP
Country: United States
State/Region: Virginia City: Ashburn
 
[sharedmedia=gallery:images:1532]
 
 

pete_c

Guru
8th of June, 2022
 
Totally rebuilt from scratch the test PFSense + box.  It did not work providing me internet access.
 
I had enabled two WLAN interfaces and had played some with IPv6.
 
- now have internet access
- now connecting to Oracle OpenVPN server

What is not working is Internet access with the OpenVPN client connected to the Oracle OpenVPN server which works fine on my direct connecting testing clients.

All of the clients are using both ipV4 and ipV6...so reconfiguring the PFSense interfaces.

Here is a screen shot of the PFSense + OpenVPN client Wizard on the production PFSense + box and testing PFSense + box with the WAN VPN tunnel up.

Geez forgot to configure the firewall interfaces for OpenVPN, OpenVPN interface and WAN interface.

Now the Internet is working. Validated connection on the Oracle VPN server side.
 

pete_c

Guru
Update:  8th of July, 2022  1235 C time.
 
Now testing using the Oracle OpenVPN client on another computer to get to the PFSense box connected via OpenVPN to the Oracle OpenVPN server.

Configuration:
1 - running PFSense+ box on ISP#2 with OpenVPN client connected to Oracle OpenVPN Server
2 - Linux Ubuntu Laptop running OpenVPN client to Oracle VPN server.

Validated two VPN connections to the Oracle Cloud VPN server connecting to Oracle.
 
SSH first to the IP of the PFSense box in the Oracle cloud.  
 
Works!!!
 
Code:
Netgate pfSense Plus - Netgate Device ID: x

*** Welcome to Netgate pfSense Plus 22.01-RELEASE (amd64) on OracleTest ***

 WAN (wan)       -> re1        -> v4/DHCP4: x
 LAN (lan)       -> re0        -> v4: 192.168.1.1/24
 TEARDROP (opt1) -> ovpnc1     -> v4: 172.x

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + Netgate pfSense Plus tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 0



Web interface also works fine.
 
Next to forward / route traffic to the LAN side of the PFSense box.
 
I only have my another laptop connected.
 
 
 

pete_c

Guru
Status: Sunday 12th of June, 2022
 
Got an email that my free subscription was up.  Last time I saw this email just logged in to the cloud and all was fine.
 
This time logged in to the cloud and saw that my OpenVPN server instance was off and I could no longer VPN to it.
 
The instance is still configured and mentions that I have to contact support to enable it again.
 
Wierd cuz I left the PFSense box connected to it.  (well until I saw the email).
 

vc1234

Active Member
Am I missing something ?
 
Why do you need Oracle VPS as a middleman?  Why not connect directly to your router openvpn server ?
 
Thx.
 

vc1234

Active Member
pete_c said:
Because it never sees the PFSense Router / OpenVPN server from the Internet.
Not sure I understand.  What does not see your home router from the Internet ?  You can directly connect to your home network from the Internet, as I am sure you know, Why introduce a middleman ?
 
Sorry for the late reaction to your response.
 

Frunple

Active Member
Look up CGNAT if you're not familiar.
Although I think the whole trial is kinda a waste too. Just use WireGuard and be done with it.
But it's probably just something to play with I'm guessing
 

vc1234

Active Member
Frunple said:
Look up CGNAT if you're not familiar.
Although I think the whole trial is kinda a waste too. Just use WireGuard and be done with it.
But it's probably just something to play with I'm guessing
Ok, thanks.  I had no idea it even existed.  I've used Comcast/Xfinity for 20? years, at different locations and always was granted a semi-permanent public IP easily accessible from the Internet.
 
I use Digital Ocean for different purposes, so it looks easy to set up a bypass if need be:
 
https://github.com/mochman/Bypass_CGNAT
 
Top