OpenVPN client get's IP, but can't ping office LAN

sb1 · May 9, 2008, 1:42 PM

I'm having a bit of trouble with OpenVPN testing. So far, I've followed the instructions here (http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf). My test VPN client is Vista 32-bit (including adding the below to my *.ovpn config file), and I'm connecting to a PFSense 1.2-RELEASE box. I generated keys from my linux box - and these appear to be good.

Right now, I'm able to get an IP address using the OpenVPN GUI client of 192.168.124.6 when I establish a session. However, I'm not able to ping hosts (or SMB, MSTSC, FTP, HTTP to etc.) on my office LAN. If I do an "Ipconfig /all" from Vista, I see my ovpn client has a subnet of 255.255.255.252, DHCP server 192.168.124.5, DNS of 192.168.222.2, WINS 192.168.168.222.2, but no Gateway listed. I can ping my own IP, but I can't ping the "DHCP" server address, or anything on the 192.168.222.0/24 network.

My PFSense box has an IP on my LAN of 192.168.222.248, connecting to it's own private DSL line. I have another firewall and separate internet connection of 192.168.222.1. All my production boxes point at the 192.168.222.1 box for their gateway.

Can anyone point me in the right direction, or identify anything in my config that's causing the problem?

added to Vista Config for *.ovpn
route-method exe
mssfix 1200
route-delay 2

OpenVPN Server tab,
Protocol: TCP
Dynamic IP: checked
Local port: 1194
Address pool: 192.168.124.0/24
Local network: 192.168.222.0/24
DHCP-Opt DNS: domain.local
DNS: 192.168.222.2
WINS: 192.168.222.2
NetBios node: p-node

Client tab: empty
client specific config tab: emtpry

Firewall rules:

WAN: TCP/UDP, *, *, *, 1194, *
LAN: *, LAN net, *, *, *, *

sb1 · May 9, 2008, 1:48 PM

Also - on my openvpn client, I'm getting the following error just before getting my IP:

Thu May 08 17:02:10 2008 us=358000 Route addition via IPAPI failed
Thu May 08 17:02:10 2008 us=358021 route ADD 192.168.124.1 MASK 255.255.255.255 192.168.124.5
Thu May 08 17:02:10 2008 us=386089 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=20]
Thu May 08 17:02:10 2008 us=386322 Route addition via IPAPI failed
Thu May 08 17:02:10 2008 us=386339 Initialization Sequence Completed

sh_man · May 9, 2008, 3:08 PM

Try adding the following in the custom options box

push "route 192.168.222.0 255.255.255.0 vpn_gateway";

Also, I have not bothered with any of the DHCP DNS stuff - it works for me without it!

sb1 · May 10, 2008, 3:55 PM

Should I be adding this to the OpenVPN client "server" tab? I tried doing so, literally typing…

push "route 192.168.222.0 255.255.255.0 vpn_gateway";

Should the words "push" and "vpn_gateway" be included, or should I be typing my actual gateway - 192.168.124.1? I've tried these various iterations, and I can't get to my 192.168.222/0 LAN. I can ping and connect to 192.168.124.1 (pfsense on the VPN subnet).

Any other ideas, or did I miss something?

sh_man · May 11, 2008, 7:56 PM

This should be put in on pfsense, on the VPN->openVPN server tab. Edit the server you have set up and at the bottom there is a custom options box. The server should then "push" this to the client when the client initiates the link.

It works fine for me using an XP client

My client config is:-

port 1194
dev tun
dev-node OpenVPN
proto udp
remote xxx.xxx.xxx.xxx 1194
ping 30
dhcp-option DNS 192.168.1.1
persist-tun
persist-key
tls-client
ca ca.crt
cert timh2.crt
key timh2.key
ns-cert-type server
comp-lzo
pull

My server config:-

<openvpnserver><config><disable><protocol>UDP</protocol>
<dynamic_ip>on</dynamic_ip>
<local_port>1194</local_port>
<addresspool>192.168.20.0/24</addresspool>
<nopool><local_network>192.168.1.0/24</local_network>
<remote_network><client2client>on</client2client>
<crypto>BF-CBC</crypto>
<auth_method>pki</auth_method>
<shared_key><ca_cert>yyyyyyyyyy</ca_cert>
<server_cert>yyyyyyyyyyyy</server_cert>
<server_key>yyyyyyyyyyyyyyy</server_key>
<dh_params>yyyyyyyyyyyyyyyyyyyyyyyyy</dh_params>
<crl>yyyyyyyyyyyyyyyyyyy</crl>
<use_lzo>on</use_lzo>
<custom_options>push "route 192.168.1.0 255.255.255.0 vpn_gateway";route 192.168.20.0 255.255.255.0;push "route 192.168.1.0 255.255.255.0 vpn_gateway";management 192.168.1.180 7506</custom_options>
<description>MainVPN (1194)</description></shared_key></remote_network></nopool></disable></config></openvpnserver>

Cry Havok · May 11, 2008, 8:55 PM

Are you remembering to run the OpenVPN client as Administrator (right click, Run as Administrator)?

GruensFroeschli · May 11, 2008, 10:32 PM

You dont need to add the
push "route 192.168.222.0 255.255.255.0 vpn_gateway";
to your custom commands.

The field
Local network: 192.168.222.0/24
already does that.

Thu May 08 17:02:10 2008 us=358000 Route addition via IPAPI failed
Thu May 08 17:02:10 2008 us=358021 route ADD 192.168.124.1 MASK 255.255.255.255 192.168.124.5
Thu May 08 17:02:10 2008 us=386089 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=20]
Thu May 08 17:02:10 2008 us=386322 Route addition via IPAPI failed
Thu May 08 17:02:10 2008 us=386339 Initialization Sequence Completed

It's a Vista problem.
Are you sure you HAVE to use Vista for this?

If you use google you find this:
http://skriptd.wordpress.com/2007/07/12/openvpn-gui-on-windows-vista/

The solution is there described.

added to Vista Config for *.ovpn
route-method exe
mssfix 1200
route-delay 2

Are you really sure that the file with this changes gets used?
Your log shows that OpenVPN still tries to add the routes with route-method ipapi which obviously fails with vista.

sb1 · May 12, 2008, 6:13 PM

I'll come back the Vista testing in a bit and post any changes after testing.

In the interim, I grabbed an XP box, removed the custom config statement ("push "route 192.168.222.0 255.255.255.0 vpn_gateway"), and tried connecting via OpenVPN. I was able to connect without a "route addition failure" error, and received an IP address (192.168.124.6). Initially I could not ping anything on the production LAN, but soon realized that those production boxes weren't pointing at pfSense (*.248) for the gateway, and were instead pointing their gateway at *.1, which had no knowledge of the *.248. After chaning one to point at *.248, I was able to ping it from my openVpn client at 192.168.124.6, as well as TS/RDP into it.

So that's a big improvement - and thanks to everyone who helped! As I said, I'll keep hammering away at Vista and let you know what I find.

chazers18 · May 14, 2008, 7:03 PM

all you need to do for vista is run it as an administrator
and download the openvpn-2.1_rc4-install

version i have this running on this laptop and on 2 other vista machines with no problems.

my config also look like this i have to running on 15 or so clients with a road warrior setup

float
port 1195
dev tun
dev-node vpn
#dev-node vpn <-vpn is the name of the renamed interface
proto tcp-client
remote 12.34.56.78 1195
remote 87.65.54.43 1195
resolv-retry 30
ping 10
persist-tun
persist-key
tls-client
ca ca.crt
cert user.crt
key user.key
ns-cert-type server
#comp-lzo <- to enable remove the #
pull
verb 4

manuel · Nov 18, 2008, 11:10 AM

I'm running Vista and since i didn't want to install the RC i got it running adding these lines to the openvpn client configuration:


route-method exe
route-delay 2

That did it for me.