OpenVPN to OPT1

plaap · Aug 19, 2008, 4:00 PM

Hi,

I have succesfully setup an openvpn tunnel for road warriors. I can connect to the pfsense box and access the lan net. However I can't to connect to the subnet behind OPT1.

Config:
LAN : 10.0.0.0/24
OPT1 : 10.1.0.0/16
OpenVPN : 10.100.0.0/24

I tried : "push 10.1.0.0 255.255.0.0" but this didn't work. Also I can ping from the client to the openvpn server address.

Are there any special rules to apply? I thought there weren't any special fw rules for openvpn. Or am I missing something huge? :)

GruensFroeschli · Aug 19, 2008, 6:13 PM

Is this a PKI or PSK setup?

In a PKI you're right to add the push 10.1.0.0 255.255.0.0 to the custom options.
You will have to reconnect the client for it to take effect.
If it works you should see a change in the routing table of the connecting client.

PS: the command looks like this

push "route 10.1.0.0 255.255.0.0"

including the ""
For more: rtfm here http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

plaap · Aug 20, 2008, 11:06 AM

It is a PKI setup. The custom option is ok, I just mistyped the quotes here. The route is indeed added to the client. If I do a route print I can see the routes added.


Wed Aug 20 11:54:19 2008 us=313963 route ADD 10.0.0.0 MASK 255.255.255.0 10.100.0.5
Wed Aug 20 11:54:19 2008 us=315154 Route addition via IPAPI succeeded
Wed Aug 20 11:54:19 2008 us=315168 route ADD 10.1.0.0 MASK 255.255.0.0 10.100.0.5
Wed Aug 20 11:54:19 2008 us=316278 Route addition via IPAPI succeeded
Wed Aug 20 11:54:19 2008 us=316292 route ADD 10.100.0.0 MASK 255.255.255.0 10.100.0.5
Wed Aug 20 11:54:19 2008 us=317445 Route addition via IPAPI succeeded

If I do a tracert to an ip in the opt1 range, the first hop is 10.100.0.1 (which is the pfsense box). It seems like all traffic stops there. Maybe it's more of a routing problem than an openvpn problem. I've enabled AON, maybe there's something missing there.
I thinks it's a small problem but I seem to overlook it.

GruensFroeschli · Aug 20, 2008, 2:21 PM

I'm writing over such a setup at this moment.
It is working quite well. OPT1 is in my case the wireless-interface.

Can you try to ping 10.1.0.1 (if this is the IP of pfSense on the 10.1.0.0/16 subnet)

plaap · Aug 20, 2008, 2:41 PM

I can ping the opt1 interface ip. Which is 10.1.0.99 in my case. I can also ping to a couple of other devices in the /16 opt1 network but only if they start with 10.1.0.x (meaning /24).

GruensFroeschli · Aug 20, 2008, 3:22 PM

interresting.
Can you confirm that the routes on the openVPN-client get added correctly?
Can you ping from a client on the 10.1.0.0/16 NOT in the 10.1.0.0/24 range to an OpenVPN-client?

plaap · Aug 21, 2008, 2:53 PM

I've tried this and it didn't work. I'll try to change an ip address from an unused device to the 'working' range to make sure I have the same effect.

Edit :
I've changed the ip from 10.1.101.200 to 10.1.0.200 and then it worked.