Cant ping thru OpenVPN tunnel :(

niekshas

OK here we go…
First i generated Shared key

Then i making OpenVPN server with settings

Protocol -> UDP
Dynamic IP -> unchek
Local port -> 1194
Address pool - > 192.168.200.0/24 (this is tunnels pool address space, it must be diferent from routers lan anddress space… mine is 192.168.1.0/24)
Use static IPs -> unchek
Remote network -> 192.168.255.0/24 (this is clients router lans space)
Cryptography -> BF-CBC
Authentication method -> Shared Key
Shared Key -> (enter key here)
DHCP-Opt.: NetBIOS node type -> none
DHCP-Opt.: Disable NetBIOS -> chek
LZO compression -> chek

Now client

Protocol -> UDP
Server address -> (put yours OpenVPN server IP)
Server port -> 1194
Interface IP -> 192.168.200.0/24 (tunnels address space… must be same as servers)
Remote network -> 192.168.1.0/24 (this is server LAN's address space)
Proxy port -> 3128
Cryptography -> BF-CBC
Authentication method -> Shared Key
Shared Key -> (enter key here)
LZO compression -> chek

Now you just need Firewall rules.

So its all... for me

To redirect trafik you need
On OpenVPN server:
Firewall -> NAT -> Outbound -> Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
And set rule for each network thats needs to get out.
VPN -> OpenVPN -> Server -> Custom options
Add option [push "redirect-gateway def1"]

Now on Cleint side
VPN -> OpenVPN -> Client -> Custom options
–route 62.231.8.188 255.255.255.0 192.168.1.254; --route 70.0.0.0 255.0.0.0 192.168.1.254;
This routes 62.231.8.0/24 and 70.0.0.0/8 trafik int to the tunnel...

Sorry for bad english

niekshas

Well i can now ping thru  tunnel…  :)
But next step for me is to redirekt some trafik trhu mine new OpenVPN tunnel... And i hawe problem.... Like always :) lol

when i tri do:
Tracing route to ereality.ru [62.231.8.188]
over a maximum of 30 hops:
  1    1 ms    1 ms    <1 ms  pfsense.local [192.168.255.254]
  2    1 ms    1 ms    1 ms  192.168.107.254
  3    43 ms    42 ms    42 ms  62.231.8.188
Trace complete.

it is fine… but i'm entering a static route to redirect trafik:
iterface -> LAN
Destination networt -> 62.231.8.188/32
Gateway -> 192.168.1.254 (thats adress of mine OpenVPN server LAN network card… its serving like gatevay for network 192.168.1.0/24)

Then i can trace :(
Tracing route to ereality.ru [62.231.8.188]
over a maximum of 30 hops:
  1    1 ms    <1 ms    1 ms  pfsense.local [192.168.255.254]
  2    4 ms    4 ms    3 ms  192.168.200.1
  3    *        *        *    Request timed out.
  4    *        *        *    Request timed out.

like i see it goes thru 192.168.255.254 (thats OpenVPN client LAN gateway), then 192.168.200.1 (thats tunnel),, and boom….

Any one hawe any ideas ???

Thank you for your time

niekshas

Today i tryed to add on OpenVPN server in cusom options field:
push “route 192.168.100.0 255.255.255.0”

but i think nothing happens… client dont get new route... :(

GruensFroeschli

You dont use pushes if not in a PKI.

To add new routes in a shared key setup you add the custom "route" line on the client:
FOr the syntax of the route command refer to:
http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

niekshas

Well it is not working for me :( i'm out if ideas…

To add route i'm in OpenVPN server using:
–route 80.240.10.0 255.255.255.0 192.168.1.254
where 192.168.1.254 is lans gateway of OpenVPN server
and cant trace any adress of 80.240.10.0/24 network

Tracing route to cable-10-40.cgates.lt [80.240.10.40]
over a maximum of 30 hops:
  1    <1 ms    <1 ms    <1 ms  pfsense.local [192.168.55.254]
  2   105 ms   175 ms   151 ms  192.168.200.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
it seep dont go out from tunnel…
Any one hawe any ideas ???

routing table:
Destination        Gateway Flags Refs Use Mtu Netif Expire
default              192.168.107.254 UGS 0 215188 1500 fxp0 
80.240.10/24      192.168.1.254 UGS 0 43 1500 tun0   
127.0.0.1          127.0.0.1 UH 1 0 16384 lo0 
192.168.1          192.168.200.1 UGS 1 4 1500 tun0 
192.168.55        link#1 UC 0 0 1500 dc0 
192.168.55.97    00:17:08:2f:f6:eb UHLW 1 85977 1500 dc0 814
192.168.107        link#2 UC 0 1 1500 fxp0 
192.168.107.101 127.0.0.1 UGHS 0 0 16384 lo0 
192.168.107.254 00:1b:21:0e:63:ba UHLW 2 1355 1500 fxp0 1089
192.168.200.1    192.168.200.2 UH 1 0 1500 tun0

GruensFroeschli

On the server side:
You have to enable Advanced outbound NAT and create a rule that NAT's the office-side.

http://forum.pfsense.org/index.php/topic,7001.0.html

niekshas

Well thank you… Now all works fine...

BTW i posted mine setup... so if someone like me needs... can read and use :)

stefanBG

@GruensFroeschli:

You dont use pushes in a PKI.

To add new routes in a shared key setup you add the custom "route" line on the client:
FOr the syntax of the route command refer to:
http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

I am trying to set a openvpn between my windows and work using pfsense. I am using PKI authentication. Have been struggling for days, googled but aparently google does not indexes the board well, so I came here to check if there is really nothing on the topic. Apparently there is a lot.
Have I correctly understood that with PKI the push of the remote network is disabled/not executed???
Please, confirm this.

10x

PS. Pfsense team! Great work!!!

GruensFroeschli

Sorry was a typo.

You dont use pushes if not in a PKI.
You DO use pushes in a PKI.

What exactly doesnt work in your setup?
Did you read the HowTo's on http://openvpn.net

stefanBG

@GruensFroeschli:

Sorry was a typo.

You dont use pushes if not in a PKI.
You DO use pushes in a PKI.

What exactly doesnt work in your setup?
Did you read the HowTo's on http://openvpn.net

;D Thanx, I almost wagged a war on the router! And in fact I managed to ping the VPN gateway from the Pfsense, so my remote machine did respond, but only from Pfsense, not from the local net. So no site2site real connection :(

This post is about my problem!
http://forum.pfsense.org/index.php/topic,9884.0.html

So finnally..in conclusion!
To have a site2site between pfsense and Suse distro I need use:

• PKIs and push? not shared keys, right???
• and change my networks to RFC 1918 networks standard???

I shall forgot about my XP, although I am willing to try to configure it as a router :) …can I do that with cygwin ..sorry this is different topic

10x  GruensFroeschli

GruensFroeschli

For a site-to-site i would not use a PKI and pushes.
A PKI is intended to be used with roadwarriors. (Or really many site-to-site connections, 10+)

In a shared key site-to-site setup you define what lies on the other side of the tunnel via the "route" command. In the gui this is the "remote subnet" field.

Search the forum on that. Read the stickies.
There is really a LOT of info around. Also it might not hurt if you read the howto's on http://openVPN.net
And the sample-configs openvpn.net provides.

And yes you should move your address space to RFC1918.

stefanBG

Thank you very much GruensFroeschli,

Now everything much more clear. The topology that has been setup is obviously the problem.

10x again.