Openvpn road warrior question

jan.gestre

Hi All,

I've setup an OpenVPN tunnel from pfSense (road warrior) to one of the offices.

Protocol: TCP
Dynamic IP: Enabled
Local port: 1194
Address pool: 10.10.10.0/24
Local network: 192.168.1.0/24

I was able to connect via windows OpenVPN client as shown in the logs:

Thu Jan 03 10:18:44 2008 us=522218 Preserving previous TUN/TAP instance: ovpn
Thu Jan 03 10:18:44 2008 us=522243 Initialization Sequence Completed

However I don't know what's next (really dumb). I tried to ping one of the clients on pfSense's side, but all I've got is a request time out:

C:\Documents and Settings\jan>ping 192.168.1.244

Pinging 192.168.1.244 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Reply from 10.10.10.1: Destination host unreachable.

What I want to happen is to be able to see the file shares on the clients behind pfSense but I don't a slightest clue on what to do ( again really dumb).

TIA,

jan

GruensFroeschli

is the client a win xp or vista machine?
if yes: your windows firewall ist most probably messing with your ping.
try disabling it and look what happens.

jan.gestre

BTW, both LAN (pfsense and road warrior) network address is using 192.168.1.0/24. Would this cause a problem? It's only mentioned in the docs that the network addresses needs to be unique if you're setting up a site to site vpn, right?

is the client a win xp or vista machine?
I'm using XP.

if yes: your windows firewall ist most probably messing with your ping.
try disabling it and look what happens.

Windows firewall on my side is turned off.

I tried pinging again clients on pfsense side, some were successful, some weren't. I tried to list the network shares of the ip off the successful pings by Windows > Start > run > \192.168.1.168 but all I've got was an error message stating that the network path for 192.168.1.168 was not found.

GruensFroeschli

@jan:

BTW, both LAN (pfsense and road warrior) network address is using 192.168.1.0/24. Would this cause a problem? It's only mentioned in the docs that the network addresses needs to be unique if you're setting up a site to site vpn, right?

I tried pinging again clients on pfsense side, some were successful, some weren't. I tried to list the network shares of the ip off the successful pings by Windows > Start > run > \192.168.1.168 but all I've got was an error message stating that the network path for 192.168.1.168 was not found.

the same subnet for your local (seen from client) and remote network is a really bad idea.
i would be really surprised if that ever worked.

what exactly do you mean with some pings worked, and some not?
are you using multiwan on server side?

jan.gestre

the same subnet for your local (seen from client) and remote network is a really bad idea.
i would be really surprised if that ever worked.

I'm only testing and I can't change the network addresses used by either coz it will mess things up  ;D besides I made sure that the client's IP I'm trying to ping doesn't exist on either side.

what exactly do you mean with some pings worked, and some not?

When I ping the ip's of clients that appear active in the dhcp leases (pfSense side), some of the active ip's replied to the ping, some request time out.

are you using multiwan on server side?

No, I'm not yet using multiwan but as soon as we get the second adsl line, we will be.

nastraga

Using the same subnet for the local client subnet and the remote network is a problem.

When client attempts to access a given host on the remote network, the client checks its routing tables and identifies that this is a local network and sends the traffic out the local interface.  Traffic will (never) be routed over the tunnel interface.

ie. Client chooses the shortest/most specific route.

jan.gestre

@nastraga:

Using the same subnet for the local client subnet and the remote network is a problem.

When client attempts to access a given host on the remote network, the client checks its routing tables and identifies that this is a local network and sends the traffic out the local interface.  Traffic will (never) be routed over the tunnel interface.

ie. Client chooses the shortest/most specific route.

Like I've said it's only for testing besides it's not the LAN I'm after, its the servers on the DMZ, luckily I was able access them by adding a push route.  ;D

One weird thing I've also noticed is that when I looked at My Network Places, the only workgroup listed is my own pc.  :o

I'm a little bit apprehensive changing the pfSense LAN address at this point because I might mess things up.

Cry Havok

I'll go with the large neon letters, flames and strobe lights….

You will not get OpenVPN reliably working if the local and remote subnets are the same (or overlap)

See the OpenVPN HowTo: http://openvpn.net/howto.html#numbering.  You will have to renumber one network or stop trying to use OpenVPN.