@jimp:

It's more accurate to say:

You can't effectively override the management behavior.

However, if you can't, that's a bug in OpenVPN not a bug in our config

[…]

If you add a second management line (via advanced options) and it ignores your IP or port, that's OpenVPN misinterpreting your config. It will typically just take the last line that matches. If it's adding them together it's inconsistent.

Thank you Jimp! Now this becomes clearer: OpenVPN apparently starts treating everything in any management directive as unix domain socket, as soon as this mode is activated once. I'll report this inconsistency to openVPN. Maybe a fix can make it into the upcoming 2.3!

@jimp:

ncat -l -k -p 5001 -c 'nc -U /var/etc/openvpn/server1.sock'

I wrote a plugin that reads the openvpn status php.
Gave me some ideas, I'll work more on this when I have time.

Thanks again!
Chris

@Nachtfalke:

You run the OpenVPN client as an user with admin rights ?

The Windows client - does it allow connections/pings from other hosts on other subnets ? Try diabling the firewall on the client.
Add an "any to any" firewall rule on the pfsense firewall OpenVPN tab.

For better troubleshooting, I connected using a Linux laptop, I think I see the route problem:

The LAN I'm connecting to is 192.168.2.0, client PTP is 192.168.11.5, client IP is 192.168.11.6

From the Linux laptop connected this is the "route" output:

Destination    Gateway                Genmask              Flags  Metric Ref    Use  Iface
192.168.11.5    *                          255.255.255.255  UH      0        0        0    tun0
192.168.11.1    192.168.11.5      255.255.255.255  UGH  0        0        0    tun0
192.168.11.0    192.168.11.5      255.255.255.0      UG      0        0        0    tun0        < wrong ??
192.168.1.0      *                          255.255.255.0      U        303    0        0    eth1
loopback          *                          255.0.0.0              U        0        0        0    lo
default              Wireless_Broadb 0.0.0.0                  UG    303    0        0    eth1

I think the 'wrong' line should be:
192.168.2.0      192.168.11.5      255.255.255.0      UG      0        0        0    tun0

So if I type the command:
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.11.5

Now it works, I can ping the firewall which is 192.168.2.6 and other machines on the LAN 192.168.2.0

So, is that line wrong?  If so, what can I do?  Or am I completely on the wrong track here?

Julien

OK everyone, never mind.  I just looked at my advanced options and I had 192.168.2.11 and the route being pushed.
I changed it to: push "route 192.168.2.0 255.255.255.0";  and now it works.

So I'm thinking, the Local Network has to be blank and the "Advance Configuration" has to have a push?

@jimp:

It should all work fine though with that redirect-gateway def1 on there it may be doing something funny like sending traffic back via that other tunnel instead of directly.

I have now double checked this and here are my findings.

What I need to be able to do before it's working for my needs, are all of the below:

a. tunnel working for outbound traffic
b. tunnel being able to handle directing outbound traffic via fw rules (policy routing)
c. tunnel being able to accept incoming traffic, just like the WAN,
  being able to run a SMTP service behind the tunnel for instance. This means you can
  (must) add port forwards and fw rules.

I have ordered and set up a test tunnel.

(I'm skipping most of the setup stuff)

I disable/enable client config, triggering the tunnel to be set up.

These routing entries are added:

0.0.0.0/1 10.8.6.245 UGS 0 13 1500 ovpnc3 =>
10.8.6.241/32 10.8.6.245 UGS 0 11 1500 ovpnc3
10.8.6.245 link#15 UH 0 0 1500 ovpnc3
10.8.6.246 link#15 UHS 0 0 16384 lo0
128.0.0.0/1 10.8.6.245 UGS 0 33 1500 ovpnc3

My local IP is 10.8.6.246
Tunnel remote endpoint is 10.8.6.245
Tunnel GW is 10.8.6.241

I am unsure whether the advice given on the forum to choose the type of GW to "none" is the most correct one. I think I got it working using that setting though.

I rather quickly got outbound traffic working but inbound seems more uncertain than in 1.2.3, at least that's my assertion right now.

I have set up (as i did on 1.2.3) a GW with static IP, 10.8.6.246 in this case.

So basically what you do is look at the pushed info from the server side and add the local IP as the static IP address.

openvpn[14144]: PUSH: Received control message: 'PUSH_REPLY,route-delay 2,route-metric 1,dhcp-option DNS n1.nn.nn.nn,dhcp-option DNS n2.nn.nn.nn,route 10.8.6.241,topology net30,ping 10,ping-restart 60,ifconfig 10.8.6.246 10.8.6.245'

NOW: pinging in from the outside works. And connecting to a mail server works.
NOTE: I have now NOT removed the routing entries being added.

However now all PCs are being pushed through the tunnel.

I now add an explicit rule forcing this one PC I'm testing on, to use the default GW instead, I even reset states to be sure. It still is pushed through the tunnel. The fw rule is not having any effect.

The only way I can get the fw rules to do their job is to remove the first and last entries above.

NOW: I remove the route entries. I don't reset states.

EFFECTS ARE:
1. policy routing now immediately starts working. I can force the PC by fw rules to use EITHER default or strongvpn gw
2. Inbound traffic stops working. All of a sudden I can't ping in or reach the mail server.

I don't really see the logic in "2" happening here.

Just to test it I reset states. No different. I don't restart (can selldom restart this machine on the fly due to other users)

The "2" from above is AFAICT different from 1.2.3. I useed this exact procedure to get all a/b/c above working, but seem not to be able to do so in 2.0.1.

So, it looks like it's either:
1. all outbound traffic through tunnel and inbound traffic working
OR
2. policy routing enabled for outbound traffic and no inbound traffic

INBOUND traffic above is referring to traffic INITIATED from the outside.

I'm hoping I'm missing something here and it's possible to get it working in 2.0.1. I do know that all these features were working in my 1.2.3 setup.

If you select the duplicate option, that will work. It's a bad idea though, if the certificate is ever compromised you'll have to reissue clients to everyone instead of just sticking the compromised certificate in a CRL.

Please do not cross-post (post the same thing in multiple boards). If you don't know where your topic belongs, use a general category instead of a specific one.

yes it's possible as you describe.

Thanks…

Unfortunately there isn't a way to do that by web site. You could do it by subnet/IP address but sites like that use so many different addresses and CDNs that it's impossible to specify them in any definitive fashion.

I should have replied back to let everyone know, I fixed this with the above solution a couple of days ago.

The one thing I will tell you, is that if you rely on a firewall to access the machine you will be in deep trouble if you reboot it.

If you ever come across this problem you need to fix it before you restart the machine.

Correct, and if you check the box for strict user/CN matching then they can't get in unless the CN of their certificate matches their auth username.

@emil92:

(…)
PS: I am curious if you know if I will have problem routing all the other Sats to eachother so they can communicate directly with eachother? Maybe that function is not possible in OpenVPN.
Maybe I have to open a server on each client and connect another client to that one so I create a complete circle.

And last Thank you for you help.

This can be done with OpenVPN. Every Client must have the iroute command for the subnet(s) behind it.
The rest can be done by the openVPN server:
For example:

You have
Server A Subnet
Client B Subnet
Client C Subnet

First:
Client C needs the iroute command for Subent C
Client B needs the iroute command for Subent B

Second:
Client B needs to know the route to subent C
Client C needs to know the route to subent B
You can do this by add this rout on every client - but this is complex when you have many sites. So you can do this from server site:

On OpenVPN server:
Add a route to client C subnet
Add a route to client B subnet
Client specific override:
For client C add the route to subnet B
For client B add the route to subnet C

So Clients on subnet B can communicate through OpenVPN with clients on subnet C. But of coure - the traffic is going from subnet B to server A and from server A to subnet C. There is no "direct" connection between B and C.

So when you cinfigure this just think about:
Should the network behind be reachable by OpenVPN then use "iroute" command
Which networks do I want to reach use "route" command

If you do this from every VPN endpoint then it will probably work.

Firewall rules:
First and best thing is to:

Allow  "any to any" on the OpenVPN firewall tab Allow traffic from your LAN to ALL OpenVPN subnets (tunnel network) and the networks behind the other VPN clients (the network for which you used the "iroute" command).
So better allow too much the first time to check and make sure that it is working. Disable the windows firewall on destination host to make sure that pinging is allowed. If all routing is ok, try to shrink the firewall rules.

With UDP on multi-WAN, the return traffic will follow the default route when bound to "any", it has nothing to do with CARP.

The usual fix is to bind the OpenVPN instance to the LAN address and add port forwards from each WAN into the LAN IP on the OpenVPN port. Works just fine that way.

The OpenOSPFd package is a bit broken these days, you might give my Quagga-OSPF package a spin (after removing OpenOSPFD), settings are essentially the same between them, but Quagga appears to work much better with FreeBSD's routing tables, whereas OpenOSPFD still seems to assume it's working on OpenBSD even when running on FreeBSD…

SOLVED!!

Awesome. I really excited about this. In order to resolve this issue, I first, completely uninstalled OpenVPN from my laptop. (again) I then created a new user on the firewall. I made a cert for this user as well. Then, and this is the big difference… I exported the windows installer instead of the files themselves. I emailed that to myself and downloaded it to my laptop. I installed it, and noticed that it installed TAP 0901...

I tried to log in and it worked. I then tried to access my other computers, and it worked flawlessly. I hope this helps someone else out in the future!

hi. i was experiencing this same issue. i was looking up resolutions and came across this post. http://forum.pfsense.org/index.php/topic,45600.0.html

i then switched around my dns servers which were:
DNS1 4.2.2.2
DNS2 8.8.8.8

to

DNS1 8.8.8.8
DNS2 4.2.2.2

and I checked the box labeled "Allow DNS server list to be overridden by DHCP/PPP on WAN" on the same configuration page.

and it allowed me to download.

@marvosa:

I'm not sure if this is only generated for routed setups, but Under VPN -> OpenVPN, in the Tunnel Settings section, there is an option for Inter-client communication with a check boxed labeled "Allow communication between clients connected to this server".  If it's there, check it.

Otherwise, it looks the switch for inter-client communication generates a server option labeled:

client-to-client

you can try adding that to your advanced config box.

Also, make sure it's not just the software firewall blocking ICMP.

That was exactly the problem. I was just logging in to post that the problem is solved!

The only weird quirk now is that Clients can't see games that I host, but I can see theirs.  Time for more testing! :D

Sorry I explained badly.

The problem was the default gateway of server (192.168.20.2) that is on the same network interface LAN (192.168.20.1) Server pfSense. The default gateway are another address now is 192.168.20.1. Now the client that connect to pfsense throught openvpn che see the server (192.168.20.2).

Now the problem is inverse, from the server 192.168.20.2 that has default gateway the private address of pfsense server (192.168.20.1) can't ping address outside the pfsense server.

How do I retrieve the configuration to be put on the forum ?

thank's Cesare

@Nachtfalke:

Users and certificates are stored in the config.xml file. So if the hardware was the only issue to change you only had to copy the config.

Ah, that's great to know. Thanks!

thanks all for replaies,

I used this link to install and config Openvpn client in my Centos servers http://www.techrepublic.com/blog/opensource/how-to-set-up-a-linux-openvpn-client/1894
After that i get my client config files from " export client " and the CA file and put it on my Centos server Also, i disable the firewall on my Centos then i run Client.conf. this message appeared

openvpn client.conf
Wed Mar  7 04:23:45 2012 OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Apr 24 2011
Wed Mar  7 04:23:45 2012 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Wed Mar  7 04:23:45 2012 Cannot load private key file jrcfw01-udp-2198-tls.key: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Wed Mar  7 04:23:45 2012 Error: private key password verification failed
Wed Mar  7 04:23:45 2012 Exiting

any new suggestion.
thanks.