Openvpn Lan connection from client

Summer

Hi,
I've setup a pfsense firewall with a openvpn, I can connect from the client(winzoz xp) to the server(pfsense), but can't access the LAN I've configured in pfsense.
I can't ping and see lan's pc. Already read openvpn doc… and it seems to be Ok.
so I think the problem is in my pfsense config...
I've read some tutorials, but I've a doubt about the firewall and Nat rules, Openvpn need some special config to work?
I've setted a Firewall>Rule>in Lan
PROTO SOURCE PORT DESTINATION PORT GATEWAY
UDP LAN NET * (X.X.X.X) 1194 *
IP of openvpn client

Firewall>Rule>in Wan
PROTO SOURCE PORT DESTINATION PORT GATEWAY
UDP * * * 1194 *

what's wrong?

THANKS, kindly regards

zsunol

Hello,

Try this:

PROTO SOURCE PORT DESTINATION PORT GATEWAY
* LAN NET * pool openvpn * *

And add in your openvpn conf client:
route ip LAN mask

:)

@Summer:

Hi,
I've setup a pfsense firewall with a openvpn, I can connect from the client(winzoz xp) to the server(pfsense), but can't access the LAN I've configured in pfsense.
I can't ping and see lan's pc. Already read openvpn doc… and it seems to be Ok.
so I think the problem is in my pfsense config...
I've read some tutorials, but I've a doubt about the firewall and Nat rules, Openvpn need some special config to work?
I've setted a Firewall>Rule>in Lan
PROTO SOURCE PORT DESTINATION PORT GATEWAY
UDP LAN NET * (X.X.X.X) 1194 *
IP of openvpn client

Firewall>Rule>in Wan
PROTO SOURCE PORT DESTINATION PORT GATEWAY
UDP * * * 1194 *

what's wrong?

THANKS, kindly regards

kmichal

I have the same exact problem on TWO pfSense boxes, and I'm getting desperate.

Client is a Mac using Tunnelbick.

client config –--------

client
dev tap
proto tcp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca test.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

end client config -----------

server config ---------

writepid /var/run/openvpn_server0.pid
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tap
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 172.20.30.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 10.12.0.0 255.255.255.0"
lport 1194
push "dhcp-option DISABLE-NBT"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
push "route-gateway 10.12.0.1"

end server config -----------

LAN 10.12.0.0/16
Client's subnet 192.168.0.1/24

Here's Clients routes when connected to OVPN server

$ netstat -nr
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 36 1253 en1
10.12/24 10.12.0.1 UGSc 1 0 en1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 2 3667 lo0
169.254 link#6 UCS 0 0 en1
172.20.30.1/32 10.12.0.1 UGSc 0 0 en1
172.20.30.4&0xac141e05 link#8 UC 1 0 tap0
192.168.0 link#6 UCS 2 0 en1
192.168.0.1 0:18:39:7d:3:c7 UHLW 33 180 en1 370
192.168.0.101 127.0.0.1 UHS 3 1512 lo0
192.168.0.255 link#6 UHLWb 2 125 en1
255.255.255.254 ff:ff:ff:ff:ff:ff UHLWb 1 2 tap0

Client's connection log.

Wed 09/09/09 01:25 AM: remote='dev-type tun'
Wed 09/09/09 01:25 AM: remote='link-mtu 1544'
Wed 09/09/09 01:25 AM: remote='tun-mtu 1500'
Wed 09/09/09 01:25 AM: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed 09/09/09 01:25 AM: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed 09/09/09 01:25 AM: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed 09/09/09 01:25 AM: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed 09/09/09 01:25 AM: 1024 bit RSA
Wed 09/09/09 01:25 AM: [server] Peer Connection Initiated with xx.xx.xx.xx:1194
Wed 09/09/09 01:25 AM:
Wed 09/09/09 01:25 AM: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed 09/09/09 01:25 AM: ifconfig 172.20.30.6 172.20.30.5'
Wed 09/09/09 01:25 AM: OPTIONS IMPORT: timers and/or timeouts modified
Wed 09/09/09 01:25 AM: OPTIONS IMPORT: –ifconfig/up options modified
Wed 09/09/09 01:25 AM: OPTIONS IMPORT: route options modified
Wed 09/09/09 01:25 AM: OPTIONS IMPORT: route-related options modified
Wed 09/09/09 01:25 AM: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed 09/09/09 01:25 AM: for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
Wed 09/09/09 01:25 AM: ROUTE default_gateway=192.168.0.1
Wed 09/09/09 01:25 AM: TUN/TAP device /dev/tap0 opened
Wed 09/09/09 01:25 AM:
Wed 09/09/09 01:25 AM: /sbin/ifconfig tap0 delete
Wed 09/09/09 01:25 AM: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Wed 09/09/09 01:25 AM: /sbin/ifconfig tap0 172.20.30.6 netmask 172.20.30.5 mtu 1500 up
Wed 09/09/09 01:25 AM: /Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh tap0 1500 1576 172.20.30.6 172.20.30.5 init
Wed 09/09/09 01:25 AM:
Wed 09/09/09 01:25 AM: /sbin/route add -net 10.12.0.0 10.12.0.1 255.255.255.0
Wed 09/09/09 01:25 AM: /sbin/route add -net 172.20.30.1 10.12.0.1 255.255.255.255
Wed 09/09/09 01:25 AM: Initialization Sequence Completed

If you need to see more please let me know.
There's really not many rules set.
I am also using IPsec whitch works fine, so IPSEC has a permisive rule set

LAN has this rule
Proto Source Port Destination Port Gateway Schedule Description

LAN net * * * *

There has to be something I'm missing here.

Summer

Got it working by following this:
it was the tun/tap interface!

http://forum.pfsense.org/index.php?topic=14647.0 ;)

kmichal

Didn't make a difference for me.

brah

@kmichal:

I have the same exact problem on TWO pfSense boxes, and I'm getting desperate.

The information is from three different setups. Anyway, the routes are all messed up and it will never work like that.

He had to delete the following directive to get it to work.

push "route-gateway 10.12.0.1"