I install openvpn on pfsense but vpnclient can't access to LAN ?????
-
I install Openvpn on pfsense 1.2.2 with configuiration :
server ( pfsense )
protocol TCP
Dynamic IP check
Local port 1194
address pool 192.168.100.0/24
local network 192.168.1.0
client-to-client check
crytography BF-CBC(128bit)
authen PKI
DNS-server
redirect gateway check
client (windows)##############################################
Sample client-side OpenVPN 2.0 config file
for connecting to multi-client server.
# #
This configuration can be used by multiple
clients, however each client should have
its own cert and key files.
# #
On Windows, you might want to rename this
file so it has a .ovpn extension
##############################################
Specify that we are a client and that we
will be pulling certain config file directives
from the server.
client
Use the same setting as you are using on
the server.
On most systems, the VPN will not function
unless you partially or fully disable
the firewall for the TUN/TAP interface.
;dev tap
dev tunWindows needs the TAP-Win32 adapter name
from the Network Connections panel
if you have more than one. On XP SP2,
you may need to disable the firewall
for the TAP adapter.
;dev-node MyTap
Are we connecting to a TCP or
UDP server? Use the same setting as
on the server.
;proto tcp
proto tcpThe hostname/IP and port of the server.
You can have multiple remote entries
to load balance between the servers.
remote 192.168.2.10 1194
Choose a random host from the remote
list for load-balancing. Otherwise
try hosts in the order specified.
;remote-random
Keep trying indefinitely to resolve the
host name of the OpenVPN server. Very useful
on machines which are not permanently connected
to the internet such as laptops.
resolv-retry infinite
Most clients don't need to bind to
a specific local port number.
nobind
Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobodyTry to preserve some state across restarts.
persist-key
persist-tunIf you are connecting through an
HTTP proxy to reach the actual OpenVPN
server, put the proxy server/IP and
port number here. See the man page
if your proxy server requires
authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]Wireless networks often produce a lot
of duplicate packets. Set this flag
to silence duplicate packet warnings.
;mute-replay-warnings
SSL/TLS parms.
See the server config file for more
description. It's best to use
a separate .crt/.key file pair
for each client. A single ca
file can be used for all clients.
ca ca.crt
cert client3.crt
key client3.keyVerify server certificate by checking
that the certicate has the nsCertType
field set to "server". This is an
important precaution to protect against
a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
To use this feature, you will need to generate
your server certificates with the nsCertType
field set to "server". The build-key-server
script in the easy-rsa folder will do this.
;ns-cert-type server
If a tls-auth key is used on the server
then every client must also have the key.
;tls-auth ta.key 1
Select a cryptographic cipher.
If the cipher option is used on the server
then you must also specify it here.
;cipher x
Enable compression on the VPN link.
Don't enable this unless it is also
enabled in the server config file.
comp-lzo
Set log file verbosity.
verb 3
Silence repeating messages
;mute 20
rule on pfsense :
LAN : pass any any
WAN : protocol TCP any any on port 1194
I connected from vpnclient (windows) to openvpn server and access to card LAN of pfsense server but i can't access to clients on LAN netword..This is log on vpn client
Sat Jun 13 16:51:24 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Sat Jun 13 16:51:24 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jun 13 16:51:24 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jun 13 16:51:24 2009 LZO compression initialized
Sat Jun 13 16:51:24 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Jun 13 16:51:24 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 13 16:51:24 2009 Local Options hash (VER=V4): '69109d17'
Sat Jun 13 16:51:24 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Sat Jun 13 16:51:24 2009 Attempting to establish TCP connection with 192.168.2.10:1194
Sat Jun 13 16:51:24 2009 TCP connection established with 192.168.2.10:1194
Sat Jun 13 16:51:24 2009 TCPv4_CLIENT link local: [undef]
Sat Jun 13 16:51:24 2009 TCPv4_CLIENT link remote: 192.168.2.10:1194
Sat Jun 13 16:51:24 2009 TLS: Initial packet from 192.168.2.10:1194, sid=7c2aac3c b4addd76
Sat Jun 13 16:51:25 2009 VERIFY OK: depth=1, /C=VN/ST=CA/L=HaNoi/O=BKIS/CN=pfsenseCA/emailAddress=vietnd@bkav.com.vn
Sat Jun 13 16:51:25 2009 VERIFY OK: depth=0, /C=VN/ST=CA/O=BKIS/CN=server/emailAddress=vietnd@bkav.com.vn
Sat Jun 13 16:51:25 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 13 16:51:25 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 13 16:51:25 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 13 16:51:25 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 13 16:51:25 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jun 13 16:51:25 2009 [server] Peer Connection Initiated with 192.168.2.10:1194
Sat Jun 13 16:51:26 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jun 13 16:51:27 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 172.16.105.151,route 192.168.100.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.100.10 192.168.100.9'
Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: –ifconfig/up options modified
Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: route options modified
Sat Jun 13 16:51:27 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jun 13 16:51:27 2009 TAP-WIN32 device [Local Area Connection 11] opened: \.\Global{CA09A34E-F39B-42F1-BEBF-64AE45F99BDE}.tap
Sat Jun 13 16:51:27 2009 TAP-Win32 Driver Version 8.4
Sat Jun 13 16:51:27 2009 TAP-Win32 MTU=1500
Sat Jun 13 16:51:27 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.10/255.255.255.252 on interface {CA09A34E-F39B-42F1-BEBF-64AE45F99BDE} [DHCP-serv: 192.168.100.9, lease-time: 31536000]
Sat Jun 13 16:51:27 2009 Successful ARP Flush on interface [6] {CA09A34E-F39B-42F1-BEBF-64AE45F99BDE}
Sat Jun 13 16:51:27 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Jun 13 16:51:27 2009 Route: Waiting for TUN/TAP interface to come up…
Sat Jun 13 16:51:28 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Jun 13 16:51:28 2009 Route: Waiting for TUN/TAP interface to come up...
Sat Jun 13 16:51:29 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sat Jun 13 16:51:29 2009 route ADD 192.168.1.0 MASK 255.255.255.0 192.168.100.9
Sat Jun 13 16:51:29 2009 Route addition via IPAPI succeeded
Sat Jun 13 16:51:29 2009 route ADD 192.168.100.0 MASK 255.255.255.0 192.168.100.9
Sat Jun 13 16:51:29 2009 Route addition via IPAPI succeeded
Sat Jun 13 16:51:29 2009 Initialization Sequence CompletedCan you help me this problem ??????
thanks very much -
#1 problem: are both networks (user and pfsense) using the same network address scheme? (192.168.0.1/24 or similar) they will connect but no access to anything else other than a vpn connection. if so thats the problem set pfsense to be a 10.x.x.x or 172.16.x.x.
-
Any reason you're using TCP?
OpenVPN over UDP gives much better performance and you don't have to faff around with MTU sizes.
-
Have you added a route to the VPN on your local LAN's router? You will need that to enable packet routing between your local and remote computers. Simple home routers enable configuration of a few static routes (some are even capable of running RIP). You will need to add a static route to your VPN subnet in your router's configuration. If, for instance, the address of the VPN's virtual interface on your server is 10.8.0.1, your VPN's subnet will most likely be 10.8.0.0/24. I'll use these addresses in my example below. In my Linksys home router to add a route I go to Setup tab, then choose Advanced Routing (it can vary depending on router's manufacturer), and there I type in the following:
Enter Route Name: VPN (or any other name you want)
Destination lan IP: 10.8.0.0
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.254 (<=== this is the VPN server's IP on the LAN)Obviously adjust IP addressing to your particular setup. That should do the trick.
Good luck