Problem accessing LAN from roadwarrior (SOLVED)
-
OK, thanks for your answer.
What I'm not getting is :
1°/ why the first client in your example is not 10.0.10.1 ?
2°/ is 10.0.10.5 a virtual gateway defined by OpenVPN internal system ?
3°/ even if I don't want to redirect all traffic through my VPN, what can be wrong with the ping ?
my firewall rules are : - pass all UDPtraffic from any to any on port 1194 (OpenVPN default)
- pass all UDP/TCP traffic from my VPN network to my LAN
4°/ I think I tryed to put a password when generating certificates. I will search more about that.Thanks a lot
-
The .0/30 pair which uses .1 and .2 on the server end is assigned to the server itself. This is just a byproduct of how OpenVPN doles out addresses inside of it's pool. It uses 5 and 6 (.4/30), then 9 and 10 (.8/30), then 13 and 14 (.12/30), etc, etc.
The .5 address is a virtual address internal to OpenVPN. It likely will not show up on any routing table or interface list.
This may help understand the situation a little better:
http://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses%3FWhere are you entering the firewall rules to allow traffic from your VPN subnet? OpenVPN is not filtered on 1.2.3 by default, so those rules should not be on WAN or LAN interfaces. Not sure if that would cause you trouble, but it might cause other unintended problems.
What do your LAN rules look like? Do you have traffic restricted at all? Or is it just a rule to allow all from LAN Net to anywhere?
Also, if you don't mind, can you post a (sanitized of private info) copy of your client config file?
-
OK, so maybe its my firewall rules. By the way I run PfSense 1.2.3
But in any case, would I see my Freebox IP when I traceroute a LAN IP ? I think not…I defined the rules on the WAN interface.
LAN rules look like : pass all from LAN to any
I have no other rules yet cause i am actually just testing OpenVPN on this server. Nothing else is in production.Here is my client config file :
client
dev tun
dev-node <vpn_interface>proto udp
remote <public pfsense="" ip="">1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca <ca_name>.crt
cert <client_name>.crt
key <client_name>.key
ns-cert-type server
comp-lzo
verb 3</client_name></client_name></ca_name></public></vpn_interface> -
You are correct, you should not be seeing your local firewall IP. It looks like you are missing one crucial line from your client config:
pullWithout that line, the server isn't sending the routes for the VPN subnets to the client.
-
Did you ever get this to work? Did adding 'pull' to your config make a difference?
-
Sorry for my silence.
I will work on this subject on Wednesday and post my feedback then.
See you
-
Hye jimp.
I'm still trying to make it work, but no success, even with the "pull" option.
In a previous post, you tell me that the Gateway should be 10.0.10.5, but I have no gateway configured when i'm connected.
Weired…
-
By the way :
I get that at the end of my client log :
Wed Mar 10 16:41:31 2010 ROUTE: route addition failed using CreateIpForwardEntry: Un ou plusieurs arguments sont incorrects. [if_index=25]
Wed Mar 10 16:41:31 2010 Route addition via IPAPI failed
Wed Mar 10 16:41:31 2010 route ADD 10.0.10.1 MASK 255.255.255.255 10.0.10.5
Wed Mar 10 16:41:31 2010 Warning: route gateway is not reachable on any active network adapters: 10.0.10.5
Wed Mar 10 16:41:31 2010 Route addition via IPAPI failed
Wed Mar 10 16:41:31 2010 Initialization Sequence Completed -
I'm going foreward !!
I read on a forum that under Vista and Windows 7 clients, it needs to add those lines on the client configuration file :
route-method exe
route-delay 2Since I added them, no more errors in my log, I can ping the internal address of my pfsense box.
But i can't ping any other IP yet and my gateway doesn't appear
-
OK it works !!!!! :)
My last problem was an internal routing problem.
So the solution seems to be :
For clients running Vista or Seven, add those two lines at the end of your client configuration file :
route-method exe
route-delay 2Thank you for your help Jimp !!
See you
