Pfsense connected to win 2k3 openvpn server
-
I am working on a problem for a remote location. At the home office we have a win 2k3 server running OpenVPN in TLS server mode. The server is running on a tap interface not tun. I am trying to configure pfsense to act as a client so we don't have to run individual clients on each pc at the remote location. I so far have been able to get the tunnel to connect and can ping the server from the console but cant seem to get the pc's to comunicate with the server. Anyone have any ideas on where i have messed up the config.
Here is the breakdown
Win 2k4 server running OpenVPN on a 10.10.1.0/24 subnet
pfsense running 192.168.2.0/24 LAN subnet.
OpenVPN client
protocol: udp
auth: PKI
custom options: dev tap
created interface tap0 and enabled itI need to route any requests for the 10.10.1.0 subnet through the OpenVPN tunnel so users can access the server.
Any help would be greatly appreciated.
Thanks
David -
I am having a similar issue with a similar scenario. I have a Windows 2k3 server behind a pfSense box at my office and at a client location I am trying to use pfsense openVPN client to access the remote network. I can get the VPN to connect but (initialized sequence Completed etc etc) but I cannot ping anything on the remote side.
Setup
Office
2k3 server with pool of 10.8.0.0/24 pushing route to 192.168.6.0/24 which is the actual LAN SubnetRemote
pfSense with local LAN subnet of 192.168.11.0/24Im using tun for the interface because windows bridging sucks terrible
I put a custom string on the OpenVPN server page of "float;tls-client;route-delay 2;verb 4;pull;ns-cert-type server" and my luck was better as far as logs go lol :( ….........the tls-client line might be the key for you.
-
In what directory does pfsense keep the actual openvpn config file. Maybe if i looked at it directly i could find the problem. Also you can use a TAP connection without truely bridging. We have used it succesfully on Windows boxs allowing users to connect to the server and map drives just like they were on the same subnet as the lan even though they are not on the same subnet.
-
Yeah I chose tun because the only traffic I want going through is for my remote phone users. I have a pfSense box v1.0.1 stable in the office with a 2k3 server behind running openvpn and a asterisk(VoIP Server) so there is nothing to map as far as drives go. only thing i connect to my office is the softphone my remote clients use.
TUN seems to be more compatible with OVPN but if you want to take a look at the config file its in the var/etc directory. I made changes to it manually and once I rebooted the router the changes were erased.
I played with this all night last night and was able to ping from the console and nbot the GUI so our problems are almost the same except for the tun/tap differences which I think are irrelevant. It basically looks like the tun0 or in your case the tap0 interface is not passing the traffic to the LAN side of the router. Its strange I can ping from the console but in the webGUI I am unable to ping my remote subnet using WAN or LAN.
From my experience using OpenVPN I have seen the smallest of things cause compatibility issues. Like when I started testing vista I had hell trying to connect it but it was only becaus eof two lines in the server.opvn file that made the difference. Im sure there is some sort of computability issue here. BTW in order to add anything to ovpn client config on pfsense you have to put it in the custom command under the LZO compression otherwise your manual editing will be overwritten upon reboot or saving the config with a change
I will keep trying tonight…. maybe we can work together on this and make it work?
-
Sorry I wanted to ask you one more thing.
What version of OpenVPN are you running on your 2K3 server?
Im using 2.0.9
-
Same here 2.0.9 on 2k3 standard. I have the same prob…can ping through the tunnel from the console but not the gui. Anybody have any ideas?
-
There has to be a line we need to add to route the pool address to the lan interface…..thats where the problem seems to rest.
-
I know this question isn't entirely related to what were doing but since you seem pretty knowledgeable with OpenVPN so I wanted to ask you. How do I get my server to issue real IP Addresses instead of address pool addresses?
Like for example if my address pool is 10.8.0.0/24 and my LAN is 192.168.1.0/24 how do I get my road warriors to get a 192.168.1.x address?
-
OK I found the problem here. When you use PSK(Pre Shared Key) it gives you the option to enter a remote subnet. When you select PKI (Pub Key Inf) it disables that option therefor leaving the VPN connection limited to ony the console. I tried to counter this by adding a customer line "route 192.168.6.0 255.255.255.0" and freeBSD gets an error saying:
ERROR: FreeBSD route add command failed: shell command exited with error status: 1:
Im going to install the latest pfSense tomarrow to see if that will cure the issue. I really hate using unstable version or SNAPSHOTS to correct problems though.
Any workarounds would be greatly appreciated
-
As hoba mentioned quite a few times, those SNAPSHOTS you're complaining about unstable are (mostly) exactly that: bugfixes of v1.0.1-release. That they call them snapshots doesn't make them less stable though.
-
Hotel to get your LAN subnet to VPN clients you need to use bridging and that will only work in TAP mode with the TLS server.
So all that might be wrong is just a route that i am missing.
I will look into that next time I get a chance.
Thanks again
