Re: OpenVPN on pfSense - Installation guide for Dummies [DNS-problem] [solved]

alphazo

I'm little confused by this tutorial and other references on the wiki because 1.2.3 adds new filtering capabilities on VPN with the addition of a new virtual interface.

Before going into that (enabling the virtual inteface and disabling automatic rules) I followed the tutorial. I'm able to connect and get an IP address but unfortunately I cannot reach anything in the remote network. When looking at ipconfig on the windows client I noticed that there is no gateway mentioned, only an IP address : 192.168.100.6 and a netmask: 255.255.255.252.

I guess that without a gateway I won't be able to route correctly. How can enable this?

In my OpenVPN I have 192.168.100.0/24 for the address pool and 192.168.0.0/24 for the local network. I also have a WAN rules:
UDP   *   *   *   1194 (OpenVPN)   *       OpenVPN

Thanks
alphazo

GruensFroeschli

If i remember correctly, you don't have a gateway for the OpenVPN interface with ipconfig.
But when you do a "route print" on a console you should see all the gateways for their corresponding route.

The route to the remote subnet should show up there.
If it doesn't: can you show the OpenVPN log from the client when you connect?

alphazo

Thank you for helping me out. This is what the "route print" returns:

===========================================================================
Liste d'Interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff 18 70 d3 86 ...... TAP-Win32 Adapter V9 - Miniport d'ordonnancemen
 de paquets
0x10004 ...08 00 27 95 b4 ef ...... Carte AMD PCNET Family Ethernet PCI
===========================================================================
===========================================================================
Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0         10.0.2.2       10.0.2.15       20
         10.0.2.0    255.255.255.0        10.0.2.15       10.0.2.15       20
        10.0.2.15  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0    192.168.100.5   192.168.100.6       1
    192.168.100.1  255.255.255.255    192.168.100.5   192.168.100.6       1
    192.168.100.4  255.255.255.252    192.168.100.6   192.168.100.6       30
    192.168.100.6  255.255.255.255        127.0.0.1       127.0.0.1       30
  192.168.100.255  255.255.255.255    192.168.100.6   192.168.100.6       30
        224.0.0.0        240.0.0.0        10.0.2.15       10.0.2.15       20
        224.0.0.0        240.0.0.0    192.168.100.6   192.168.100.6       30
  255.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       1
  255.255.255.255  255.255.255.255    192.168.100.6   192.168.100.6       1
Passerelle par défaut :          10.0.2.2
===========================================================================
Itinéraires persistants :
  Aucun

and here is the openvpn client's log:

Tue Dec 22 13:21:33 2009 OpenVPN 2.1_rc22 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 20 2009
Tue Dec 22 13:21:33 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Dec 22 13:21:34 2009 LZO compression initialized
Tue Dec 22 13:21:34 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Dec 22 13:21:34 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 22 13:21:34 2009 Local Options hash (VER=V4): '41690919'
Tue Dec 22 13:21:34 2009 Expected Remote Options hash (VER=V4): '530fdded'
Tue Dec 22 13:21:34 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Dec 22 13:21:34 2009 UDPv4 link local: [undef]
Tue Dec 22 13:21:34 2009 UDPv4 link remote: 86.76.21.144:1194
Tue Dec 22 13:21:34 2009 TLS: Initial packet from 86.76.21.144:1194, sid=0caaf0df a2be79c5
Tue Dec 22 13:21:35 2009 VERIFY OK: depth=1, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=pfSense_CA/emailAddress=me@localhost
Tue Dec 22 13:21:35 2009 VERIFY OK: nsCertType=SERVER
Tue Dec 22 13:21:35 2009 VERIFY OK: depth=0, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=ares/emailAddress=me@localhost
Tue Dec 22 13:21:36 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
Tue Dec 22 13:21:36 2009 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC'
Tue Dec 22 13:21:36 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 22 13:21:36 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 22 13:21:36 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 22 13:21:36 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 22 13:21:36 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Dec 22 13:21:36 2009 [ares] Peer Connection Initiated with 86.76.21.144:1194
Tue Dec 22 13:21:38 2009 SENT CONTROL [ares]: 'PUSH_REQUEST' (status=1)
Tue Dec 22 13:21:38 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.100.1,ping 10,ping-restart 60,ifconfig 192.168.100.6 192.168.100.5'
Tue Dec 22 13:21:38 2009 OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec 22 13:21:38 2009 OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec 22 13:21:38 2009 OPTIONS IMPORT: route options modified
Tue Dec 22 13:21:38 2009 ROUTE default_gateway=10.0.2.2
Tue Dec 22 13:21:38 2009 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{1870D386-0490-4692-AA56-6C738635ADCC}.tap
Tue Dec 22 13:21:38 2009 TAP-Win32 Driver Version 9.6 
Tue Dec 22 13:21:38 2009 TAP-Win32 MTU=1500
Tue Dec 22 13:21:38 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.6/255.255.255.252 on interface {1870D386-0490-4692-AA56-6C738635ADCC} [DHCP-serv: 192.168.100.5, lease-time: 31536000]
Tue Dec 22 13:21:38 2009 Successful ARP Flush on interface [2] {1870D386-0490-4692-AA56-6C738635ADCC}
Tue Dec 22 13:21:44 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue Dec 22 13:21:44 2009 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 192.168.100.5
Tue Dec 22 13:21:44 2009 Route addition via IPAPI succeeded [adaptive]
Tue Dec 22 13:21:44 2009 C:\WINDOWS\system32\route.exe ADD 192.168.100.1 MASK 255.255.255.255 192.168.100.5
Tue Dec 22 13:21:44 2009 Route addition via IPAPI succeeded [adaptive]
Tue Dec 22 13:21:44 2009 Initialization Sequence Completed
Tue Dec 22 13:21:48 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:21:58 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:22:08 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:22:18 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:22:29 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:22:38 2009 [ares] Inactivity timeout (--ping-restart), restarting
Tue Dec 22 13:22:38 2009 TCP/UDP: Closing socket
Tue Dec 22 13:22:38 2009 SIGUSR1[soft,ping-restart] received, process restarting
Tue Dec 22 13:22:38 2009 Restart pause, 2 second(s)
Tue Dec 22 13:22:40 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Dec 22 13:22:40 2009 Re-using SSL/TLS context
Tue Dec 22 13:22:40 2009 LZO compression initialized
Tue Dec 22 13:22:40 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Dec 22 13:22:40 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 22 13:22:40 2009 Local Options hash (VER=V4): '41690919'
Tue Dec 22 13:22:40 2009 Expected Remote Options hash (VER=V4): '530fdded'
Tue Dec 22 13:22:40 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Dec 22 13:22:40 2009 UDPv4 link local: [undef]
Tue Dec 22 13:22:40 2009 UDPv4 link remote: 86.76.21.144:1194
Tue Dec 22 13:22:40 2009 TLS: Initial packet from 86.76.21.144:1194, sid=06dbe67e 87fb9eda
Tue Dec 22 13:22:41 2009 VERIFY OK: depth=1, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=pfSense_CA/emailAddress=me@localhost
Tue Dec 22 13:22:41 2009 VERIFY OK: nsCertType=SERVER
Tue Dec 22 13:22:41 2009 VERIFY OK: depth=0, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=ares/emailAddress=me@localhost
Tue Dec 22 13:22:42 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
Tue Dec 22 13:22:42 2009 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC'
Tue Dec 22 13:22:42 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 22 13:22:42 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 22 13:22:42 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 22 13:22:42 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 22 13:22:42 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Dec 22 13:22:42 2009 [ares] Peer Connection Initiated with 86.76.21.144:1194
Tue Dec 22 13:22:44 2009 SENT CONTROL [ares]: 'PUSH_REQUEST' (status=1)
Tue Dec 22 13:22:44 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.100.1,ping 10,ping-restart 60,ifconfig 192.168.100.6 192.168.100.5'
Tue Dec 22 13:22:44 2009 OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec 22 13:22:44 2009 OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec 22 13:22:44 2009 OPTIONS IMPORT: route options modified
Tue Dec 22 13:22:44 2009 Preserving previous TUN/TAP instance: Connexion au réseau local 3
Tue Dec 22 13:22:44 2009 Initialization Sequence Completed
Tue Dec 22 13:22:54 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:23:04 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:23:14 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:23:24 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:23:34 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:23:44 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:23:44 2009 [ares] Inactivity timeout (--ping-restart), restarting
Tue Dec 22 13:23:44 2009 TCP/UDP: Closing socket
Tue Dec 22 13:23:44 2009 SIGUSR1[soft,ping-restart] received, process restarting
Tue Dec 22 13:23:44 2009 Restart pause, 2 second(s)
Tue Dec 22 13:23:46 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Dec 22 13:23:46 2009 Re-using SSL/TLS context
Tue Dec 22 13:23:46 2009 LZO compression initialized
Tue Dec 22 13:23:46 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Dec 22 13:23:46 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 22 13:23:46 2009 Local Options hash (VER=V4): '41690919'
Tue Dec 22 13:23:46 2009 Expected Remote Options hash (VER=V4): '530fdded'
Tue Dec 22 13:23:46 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Dec 22 13:23:46 2009 UDPv4 link local: [undef]
Tue Dec 22 13:23:46 2009 UDPv4 link remote: 86.76.21.144:1194
Tue Dec 22 13:23:47 2009 TLS: Initial packet from 86.76.21.144:1194, sid=c5a3b246 f145a49c
Tue Dec 22 13:23:47 2009 VERIFY OK: depth=1, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=pfSense_CA/emailAddress=me@localhost
Tue Dec 22 13:23:47 2009 VERIFY OK: nsCertType=SERVER
Tue Dec 22 13:23:47 2009 VERIFY OK: depth=0, /C=FR/ST=PA/L=Marseille/O=pfSense/CN=ares/emailAddress=me@localhost
Tue Dec 22 13:23:48 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
Tue Dec 22 13:23:48 2009 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC'
Tue Dec 22 13:23:48 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 22 13:23:48 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 22 13:23:48 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 22 13:23:48 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 22 13:23:48 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Dec 22 13:23:48 2009 [ares] Peer Connection Initiated with 86.76.21.144:1194
Tue Dec 22 13:23:50 2009 SENT CONTROL [ares]: 'PUSH_REQUEST' (status=1)
Tue Dec 22 13:23:50 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 192.168.100.1,ping 10,ping-restart 60,ifconfig 192.168.100.6 192.168.100.5'
Tue Dec 22 13:23:50 2009 OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec 22 13:23:50 2009 OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec 22 13:23:50 2009 OPTIONS IMPORT: route options modified
Tue Dec 22 13:23:50 2009 Preserving previous TUN/TAP instance: Connexion au réseau local 3
Tue Dec 22 13:23:50 2009 Initialization Sequence Completed
Tue Dec 22 13:24:00 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:24:10 2009 Authenticate/Decrypt packet error: cipher final failed
Tue Dec 22 13:24:20 2009 Authenticate/Decrypt packet error: cipher final failed

GruensFroeschli

The routes are added correctly:

192.168.0.0    255.255.255.0    192.168.100.5  192.168.100.6      1
    192.168.100.1  255.255.255.255    192.168.100.5  192.168.100.6      1
    192.168.100.4  255.255.255.252    192.168.100.6  192.168.100.6      30
    192.168.100.6  255.255.255.255        127.0.0.1      127.0.0.1      30
  192.168.100.255  255.255.255.255    192.168.100.6  192.168.100.6      30

But you seem to have a problem with your encryption:

Tue Dec 22 13:21:48 2009 Authenticate/Decrypt packet error: cipher final failed

Can you double check that you have the same settings on your server and the client?

alphazo

Good catch…It works now!  When posting it I saw the encryption mismatch but though that since I had an IP address I was fine.

Adding ```
cipher AES-128-CBC

I can now experiment with the new openVPN filtering functions (and associated virtual interface) in 1.2.3.

Thanks again.
Alphazo

alphazo

One last question (in fact three) regarding DNS.

1. Can I resolve machine names on the client side? For example http://myserver that is remotely located on 192.168.0.10. Or do I have to add entries to my host file.
2. Can I remotely browse samba shares without knowing their IP address?
3. Can I force all internet traffic on the client to go through the tunnel?

Thank you
alphazo

GruensFroeschli

1: You can push a DHCP-option (in your case you need DNS) you control locally to the client. Since the client now resolves its names over this DHCP, you control to what it resolves.
2: Not without setting up a WINS server.
3: Yes.

alphazo

For 1. do you mean DNS?

I don't know if there is any quick answer but how do you do 1. and especially 3. ?

Thanks
Alphazo

GruensFroeschli

Yes ^^"
Wrote only half of what i thought :D

alphazo

I found this post that should solve my problem.

http://forum.pfsense.org/index.php/topic,4355.msg50978.html#msg50978

For me, changing to "Manual Outbound NAT rule generation" did the trick. I what i did to make it work was NAT-ing my OpenVPN subnet (192.168.113.0/24) to WAN. That is…to begin with i had a working OpenVPN server for Road Warriors and what i had do to tunnel all traffic was:

1. Add the following lines of configuration to the OpenVPN "Custom Options":
   push "dhcp-option DNS 192.168.110.1";
   push "redirect-gateway local def1";

2. Change to "Manual Outbound NAT rule generation" and NAT the Road Warrior subnet to WAN (and all other interfaces...).

My Lan is 192.168.0.0/24 and VPN 192.168.100.0/24. I use the new filtering option found in 1.2.3. I  have OPT1 connected to tun7 (VPN, tun7 is forced is openVPN custom options by "dev tun7") and have automatic VPN rules disabled. Finally I have some rules on OPT1 to allow traffic to the LAN.

What do I have to use for the DNS line?

Moreover, the section on outbound nat is obscure to me. I understand that I have to go to manual outbound NAT generation. But do I have a to creat a NAT outboun for each interface (WAN, LAN and OPT(VPN)). Can someone guide me through the step required to set it up?

- Interface: WAN/LAN/OPT1
- Source: 
   - Type: any/network
   - Address:
   -  Source port:   	
- Destination 	
   - Type: any/network
   - Address:
   - Destination  port:   	
- Translation 	
  - Address: Interface address/any
  - Port: 
  - Static port:

Thank you
Alphazo

GruensFroeschli

AoN rules define how traffic is NATed.

Generally you only want traffic NATed to the WAN.
I use in my private homesetup a single rule with:
WAN    any  *  *  *  *  *  NO
Meaning i NAT everything to the WAN.

Of course you could create a AoN rule for each subnet you have.
The rules would look like:
WAN    subnet_A  *  *  *  *  *  NO
WAN    subnet_B  *  *  *  *  *  NO
WAN    subnet_C  *  *  *  *  *  NO
etc.

XZed

Hello,

I'm using with success this howto on some pfsense setup (also : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN )…

Meanwhile, i have two problems/requests :

1. When setting up manually openvpn (on a classic linux box), i could use "./pkitool --initca --pass" to create a protected CA (in order that only someone knowing the passphrase could issue certificates) create clients...

With the easy-rsa package content ( http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html ), i don't have the "pkitool" command...

I read that "pkitool --initca" = "build-ca" : does that mean i could use "build-ca --pass" (does it even exist ?) in order to create a protected CA ?

Or do you use it differently (the main goal : protect CA / avoid unauthorized certificates issuing) ? How do you protect CA ?

2. When issuing certificates, i have, at the end, the following message :

"unable to write random state"

I think it's due to incorrect HOME / RANDFILE variables on openssl.cnf file... Well i didn't it because i don't know if my thoughts are right or if there are another variables to change...

By the way, i change HOME variable in vars.bat in order to issue certificates...

Certificates are well issued and work perfectly but this error message remains...

I wanted to know :

What does this *.rnd serve to ? Does it serve to generate random ciphering for certificates issuing ? In other words : can we simply ignore it ?

Thank you very much,

XZed

alphazo

Coming back to my all traffic via tunnel I've modified my configuration based on the above recommendations but now the tunnel is broken and I can't even connect to remote machines via their IP addresses.

I've added the following to my custom options in openVPN server settings

push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;

192.168.0.254 is the address of my pfSense box on the LAN.

Then under NAT, I switched to Manual Outbound NAT rule generation and added two rules:

Interface    Source          Source Port      Destination      Destination Port      NAT Address      NAT Port      Static Port         
WAN       192.168.0.0/24               *     *     *     *     *      NO
WAN       192.168.100.0/24            *     *     *     *     *     NO

Under a Windows client, ipconfig returns (note that I now get a default gateway):

Configuration IP de Windows
Carte Ethernet Connexion au réseau local 3:

        Suffixe DNS propre à la connexion :
        Adresse IP. . . . . . . . . . . . : 192.168.100.6
        Masque de sous-réseau . . . . . . : 255.255.255.252
        Passerelle par défaut . . . . . . : 192.168.100.5

Carte Ethernet Connexion au réseau local:

        Suffixe DNS propre à la connexion : home.internal
        Adresse IP. . . . . . . . . . . . : 10.0.2.15
        Masque de sous-réseau . . . . . . : 255.255.255.0
        Passerelle par défaut . . . . . . : 10.0.2.2

route print

===========================================================================
Liste d'Interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff 18 70 d3 86 ...... TAP-Win32 Adapter V9 - Miniport d'ordonnancemen
 de paquets
0x10004 ...08 00 27 95 b4 ef ...... Carte AMD PCNET Family Ethernet PCI
===========================================================================
===========================================================================
Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0         10.0.2.2       10.0.2.15       20
          0.0.0.0        128.0.0.0    192.168.100.5   192.168.100.6       1
         10.0.2.0    255.255.255.0        10.0.2.15       10.0.2.15       20
        10.0.2.15  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        128.0.0.0        128.0.0.0    192.168.100.5   192.168.100.6       1
      192.168.0.0    255.255.255.0    192.168.100.5   192.168.100.6       1
    192.168.100.1  255.255.255.255    192.168.100.5   192.168.100.6       1
    192.168.100.4  255.255.255.252    192.168.100.6   192.168.100.6       30
    192.168.100.6  255.255.255.255        127.0.0.1       127.0.0.1       30
  192.168.100.255  255.255.255.255    192.168.100.6   192.168.100.6       30
        224.0.0.0        240.0.0.0        10.0.2.15       10.0.2.15       20
        224.0.0.0        240.0.0.0    192.168.100.6   192.168.100.6       30
  255.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       1
  255.255.255.255  255.255.255.255    192.168.100.6   192.168.100.6       1
Passerelle par défaut :     192.168.100.5
===========================================================================
Itinéraires persistants :
  Aucun

Can someone help me to solve my problem?
Thank you
Alphazo

GruensFroeschli

Please elaborate what you mean with "the tunnel is broken".
(How do you test?)

alphazo

By broken I meant that I can't connect to any remote machine e.g. http://192.168.0.254 (my pfSense web gui).

Please forgive my ignorance, in my earlier post I said I put :

push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;

Don't you think it should be:

push "dhcp-option DNS 192.168.100.1";push "redirect-gateway local def1";dev tun7;

```  ?

192.168.100.0/24 is the subnet of the VPN and 192.168.100.1 is the address of the virtual interface tun7.

I tried on both windows and Linux clients but it stills doesn't allow me to reach remote machines on the LAN. On the windows client I also added the following parameters (from another thread).

route-method exe
route-delay 2

Alphazo

[EDIT]

Got it working, at least for Windows clients, by swapping the configuration parameters (redirect-gateway before dhcp-option)

My config is now:

dev tun7;push "redirect-gateway def1";push "dhcp-option DNS 192.168.0.254";

Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.

Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.

Is there anything to do like flushing the DNS cache or starting a command to indicate the new DNS setting following the successful OpenVPN connection?

Thank you for your help
Alphazo

GruensFroeschli

Generally i would rather use the LAN IP of the pfSense as DNS server than the OpenVPN interface itself.

Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.

Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.

I'm not sure i understand.
Are you able to resolve names, or are you not?

alphazo

I'm not able to resolve names on a Linux client. Works fine on Windows clients.

GruensFroeschli

Hmmm.
A quick googles showed me this:
http://openvpn.net/archive/openvpn-users/2007-08/msg00124.html
with the answer:
http://openvpn.net/archive/openvpn-users/2007-08/msg00125.html

alphazo

Thanks for pointing this out. Manually adding pfSense address to the resolv.conf did the trick. As mentioned in the thread you posted a simple trick should be able to do that automatically.

Thanks again.
alphazo