Has a VPN stopped working for your client?
In this work from home (WFH) environment, most workers have had to connect remotely into their places of work to continue their jobs. We at the ACTS Group have setup our clients to work on their church networks using OpenVPN clients to pfSense firewalls. This solution has proven very effective, efficient and easy to teach to our clients. VPN connection set ups are generally a set it up once and it will run fine task. Unless something changes in the IP address or configuration of the church, the VPN will be solid. Having said that, has your VPN ever stopped working? This article will walk through how to troubleshoot a VPN non-connect issue.
There are some basic questions to ask when looking at the VPN connection that will not connect. Does the user have access to the Internet? Is the OpenVPN app up to date, or on a revision within a year of the current release? Can the client PING the firewall WAN interface? Can a tracert complete to the firewall WAN interface? Has anything changed on the client network trying to make the connection? What does the client OpenVPN log say? What do the pfSense firewall logs say?
These questions will generally reveal 99% of the reasons why the VPN will not connect, however I recently found myself in a situation with a church staff member with a VPN that would not connect suddenly after working fine for 7 months. I took the opportunity to install the newest OpenVPN release, ensured it was set to run as administrator, checked the user’s VPN config on my own VPN (it worked), and disabled his newly installed AV/firewall software just to be sure that was not the cause of the blocked connection. The OpenVPN log showed that the TLS tunnel creation would timeout and then retry. In asking the client if anything had changed prior to the firewall not connecting he mentioned that the only change was that Comcast had come out and replaced/upgraded the modem he uses at his home. I thought surely this difference must be the cause, but I found nothing in the Comcast modem that would prevent or hinder VPN connections.
When I tried to PING the church’s WAN interface on the pfSense it returned with “request timed out.” A tracert to the WAN IP showed normal latency from hop to hop and completed successfully. A second PING to the WAN IP showed “reply…” indicating connectivity. At once I retried the VPN connection and it failed, I retried the PING which again timed out. The firewall appeared to be blocking the client’s home IP, albeit not consistently, and why would pfSense start blocking the IP after months of no issues? As a test to see if the firewall was blocking the client’s home IP address, I temporarily added the client’s home IP to the admin group and was able to establish the VPN with no issue. I removed the client’s IP from the admin group in the pfSense and monitored the firewall logs as the client tried to make a connection. The connection was successful, but why? Possibly a reboot of the firewall is needed to clear the admin permissions on the client’s IP.
In order to prevent pfSense from blocking the client’s IP, monitor the pfSense system logs/firewall and watch the source column for blocked connection attempts. When you see the client IP address, click the blue + sign next to the IP address to create an easy rule and allow the connection.