Re: OpenVPN issue
-
I split this off into its own topic, since it's really a separate issue and not a comment on the howto.
It sounds like the client isn't getting the routes it needs. Did you set the "Local Network" for the OpenVPN server?
If the client is on Vista/7, it should be run as Administrator, too.
-
First, eliminate the doh! factor and ensure the firewall rules allow traffic from OpenVPN - it has it's own special tab that you need to allow any and all traffic through.
If it's still not the issue, we need detailed logs, as it'd probably be a route that needs to be pushed by the server that isn't. To diagnose this, can you post:
- the actual OpenVPN conf from the server - the file is in /var/etc/openvpn/openvpnX.conf where X is the ID in the address bar.
- Add 'verb 5' to the client conf (advanced configuration) and post the log output from the client.
- Mask out any sensitive IP addresses / domain names and post it here.
-
First, eliminate the doh! factor and ensure the firewall rules allow traffic from OpenVPN - it has it's own special tab that you need to allow any and all traffic through.
He already did that :-)
The wizard created 2 rules in the firewall, but I also tried disabling the firewall.
There is a checkbox in the wizard that adds the needed firewall rule(s) automatically to the WAN and OpenVPN tab.
-
yes the local network is set, yes the openvpn tab of the firewall has a rule to allow all traffic.
here's the server.conf file-
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local x.x.x.x tls-server server 10.1.0.0 255.255.0.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env lport 1194 management 127.0.0.1 1194 max-clients 30 push "route 172.16.0.0 255.255.0.0" push "dhcp-option DOMAIN zg.com" push "dhcp-option DNS 172.16.0.5" push "dhcp-option DNS 172.16.0.6" push "dhcp-option NTP " client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip float
and here's the client connection log with verb 5 -
Wed May 12 10:53:52 2010 us=31000 Current Parameter Settings: Wed May 12 10:53:52 2010 us=31000 config = 'pfsense2-udp-1194-config.ovpn' Wed May 12 10:53:52 2010 us=31000 mode = 0 Wed May 12 10:53:52 2010 us=31000 show_ciphers = DISABLED Wed May 12 10:53:52 2010 us=31000 show_digests = DISABLED Wed May 12 10:53:52 2010 us=31000 show_engines = DISABLED Wed May 12 10:53:52 2010 us=31000 genkey = DISABLED Wed May 12 10:53:52 2010 us=31000 key_pass_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 show_tls_ciphers = DISABLED Wed May 12 10:53:52 2010 us=31000 Connection profiles [default]: Wed May 12 10:53:52 2010 us=31000 proto = udp Wed May 12 10:53:52 2010 us=31000 local = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 local_port = 1194 Wed May 12 10:53:52 2010 us=31000 remote = 'x.x.x.x' Wed May 12 10:53:52 2010 us=31000 remote_port = 1194 Wed May 12 10:53:52 2010 us=31000 remote_float = DISABLED Wed May 12 10:53:52 2010 us=31000 bind_defined = DISABLED Wed May 12 10:53:52 2010 us=31000 bind_local = ENABLED Wed May 12 10:53:52 2010 us=31000 connect_retry_seconds = 5 Wed May 12 10:53:52 2010 us=31000 connect_timeout = 10 Wed May 12 10:53:52 2010 us=31000 connect_retry_max = 0 Wed May 12 10:53:52 2010 us=31000 socks_proxy_server = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 socks_proxy_port = 0 Wed May 12 10:53:52 2010 us=31000 socks_proxy_retry = DISABLED Wed May 12 10:53:52 2010 us=31000 Connection profiles END Wed May 12 10:53:52 2010 us=31000 remote_random = DISABLED Wed May 12 10:53:52 2010 us=31000 ipchange = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 dev = 'tun' Wed May 12 10:53:52 2010 us=31000 dev_type = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 dev_node = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 lladdr = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 topology = 1 Wed May 12 10:53:52 2010 us=31000 tun_ipv6 = DISABLED Wed May 12 10:53:52 2010 us=31000 ifconfig_local = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 ifconfig_remote_netmask = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 ifconfig_noexec = DISABLED Wed May 12 10:53:52 2010 us=31000 ifconfig_nowarn = DISABLED Wed May 12 10:53:52 2010 us=31000 shaper = 0 Wed May 12 10:53:52 2010 us=31000 tun_mtu = 1500 Wed May 12 10:53:52 2010 us=31000 tun_mtu_defined = ENABLED Wed May 12 10:53:52 2010 us=31000 link_mtu = 1500 Wed May 12 10:53:52 2010 us=31000 link_mtu_defined = DISABLED Wed May 12 10:53:52 2010 us=31000 tun_mtu_extra = 0 Wed May 12 10:53:52 2010 us=31000 tun_mtu_extra_defined = DISABLED Wed May 12 10:53:52 2010 us=31000 fragment = 0 Wed May 12 10:53:52 2010 us=31000 mtu_discover_type = -1 Wed May 12 10:53:52 2010 us=31000 mtu_test = 0 Wed May 12 10:53:52 2010 us=31000 mlock = DISABLED Wed May 12 10:53:52 2010 us=31000 keepalive_ping = 0 Wed May 12 10:53:52 2010 us=31000 keepalive_timeout = 0 Wed May 12 10:53:52 2010 us=31000 inactivity_timeout = 0 Wed May 12 10:53:52 2010 us=31000 ping_send_timeout = 0 Wed May 12 10:53:52 2010 us=31000 ping_rec_timeout = 0 Wed May 12 10:53:52 2010 us=31000 ping_rec_timeout_action = 0 Wed May 12 10:53:52 2010 us=31000 ping_timer_remote = DISABLED Wed May 12 10:53:52 2010 us=31000 remap_sigusr1 = 0 Wed May 12 10:53:52 2010 us=31000 explicit_exit_notification = 0 Wed May 12 10:53:52 2010 us=31000 persist_tun = ENABLED Wed May 12 10:53:52 2010 us=31000 persist_local_ip = DISABLED Wed May 12 10:53:52 2010 us=31000 persist_remote_ip = DISABLED Wed May 12 10:53:52 2010 us=31000 persist_key = ENABLED Wed May 12 10:53:52 2010 us=31000 mssfix = 1450 Wed May 12 10:53:52 2010 us=31000 resolve_retry_seconds = 1000000000 Wed May 12 10:53:52 2010 us=31000 username = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 groupname = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 chroot_dir = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 cd_dir = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 writepid = '[UNDEF]' Wed May 12 10:53:52 2010 us=31000 up_script = '[UNDEF]' Wed May 12 10:53:52 2010 us=265000 down_script = '[UNDEF]' Wed May 12 10:53:52 2010 us=265000 down_pre = DISABLED Wed May 12 10:53:52 2010 us=265000 up_restart = DISABLED Wed May 12 10:53:52 2010 us=265000 up_delay = DISABLED Wed May 12 10:53:52 2010 us=265000 daemon = DISABLED Wed May 12 10:53:52 2010 us=265000 inetd = 0 Wed May 12 10:53:52 2010 us=265000 log = DISABLED Wed May 12 10:53:52 2010 us=265000 suppress_timestamps = DISABLED Wed May 12 10:53:52 2010 us=265000 nice = 0 Wed May 12 10:53:52 2010 us=265000 verbosity = 5 Wed May 12 10:53:52 2010 us=265000 mute = 0 Wed May 12 10:53:52 2010 us=265000 gremlin = 0 Wed May 12 10:53:52 2010 us=265000 status_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=265000 status_file_version = 1 Wed May 12 10:53:52 2010 us=265000 status_file_update_freq = 60 Wed May 12 10:53:52 2010 us=265000 occ = ENABLED Wed May 12 10:53:52 2010 us=265000 rcvbuf = 0 Wed May 12 10:53:52 2010 us=265000 sndbuf = 0 Wed May 12 10:53:52 2010 us=265000 sockflags = 0 Wed May 12 10:53:52 2010 us=265000 fast_io = DISABLED Wed May 12 10:53:52 2010 us=265000 lzo = 0 Wed May 12 10:53:52 2010 us=265000 route_script = '[UNDEF]' Wed May 12 10:53:52 2010 us=265000 route_default_gateway = '[UNDEF]' Wed May 12 10:53:52 2010 us=265000 route_default_metric = 0 Wed May 12 10:53:52 2010 us=265000 route_noexec = DISABLED Wed May 12 10:53:52 2010 us=265000 route_delay = 5 Wed May 12 10:53:52 2010 us=265000 route_delay_window = 30 Wed May 12 10:53:52 2010 us=265000 route_delay_defined = ENABLED Wed May 12 10:53:52 2010 us=265000 route_nopull = DISABLED Wed May 12 10:53:52 2010 us=265000 route_gateway_via_dhcp = DISABLED Wed May 12 10:53:52 2010 us=265000 max_routes = 100 Wed May 12 10:53:52 2010 us=265000 allow_pull_fqdn = DISABLED Wed May 12 10:53:52 2010 us=265000 management_addr = '[UNDEF]' Wed May 12 10:53:52 2010 us=265000 management_port = 0 Wed May 12 10:53:52 2010 us=265000 management_user_pass = '[UNDEF]' Wed May 12 10:53:52 2010 us=281000 management_log_history_cache = 250 Wed May 12 10:53:52 2010 us=281000 management_echo_buffer_size = 100 Wed May 12 10:53:52 2010 us=281000 management_write_peer_info_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=281000 management_client_user = '[UNDEF]' Wed May 12 10:53:52 2010 us=281000 management_client_group = '[UNDEF]' Wed May 12 10:53:52 2010 us=281000 management_flags = 0 Wed May 12 10:53:52 2010 us=281000 shared_secret_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=281000 key_direction = 2 Wed May 12 10:53:52 2010 us=281000 ciphername_defined = ENABLED Wed May 12 10:53:52 2010 us=281000 ciphername = 'AES-128-CBC' Wed May 12 10:53:52 2010 us=281000 authname_defined = ENABLED Wed May 12 10:53:52 2010 us=281000 authname = 'SHA1' Wed May 12 10:53:52 2010 us=281000 prng_hash = 'SHA1' Wed May 12 10:53:52 2010 us=281000 prng_nonce_secret_len = 16 Wed May 12 10:53:52 2010 us=281000 keysize = 0 Wed May 12 10:53:52 2010 us=328000 engine = DISABLED Wed May 12 10:53:52 2010 us=328000 replay = ENABLED Wed May 12 10:53:52 2010 us=343000 mute_replay_warnings = DISABLED Wed May 12 10:53:52 2010 us=343000 replay_window = 64 Wed May 12 10:53:52 2010 us=343000 replay_time = 15 Wed May 12 10:53:52 2010 us=343000 packet_id_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 use_iv = ENABLED Wed May 12 10:53:52 2010 us=343000 test_crypto = DISABLED Wed May 12 10:53:52 2010 us=343000 tls_server = DISABLED Wed May 12 10:53:52 2010 us=343000 tls_client = ENABLED Wed May 12 10:53:52 2010 us=343000 key_method = 2 Wed May 12 10:53:52 2010 us=343000 ca_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 ca_path = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 dh_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 cert_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 priv_key_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 pkcs12_file = 'pfsense2-udp-1194.p12' Wed May 12 10:53:52 2010 us=343000 cryptoapi_cert = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 cipher_list = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 tls_verify = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 tls_remote = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 crl_file = '[UNDEF]' Wed May 12 10:53:52 2010 us=343000 ns_cert_type = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=343000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=390000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=390000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=390000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=390000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=390000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=390000 remote_cert_ku[i] = 0 Wed May 12 10:53:52 2010 us=390000 remote_cert_eku = '[UNDEF]' Wed May 12 10:53:52 2010 us=390000 tls_timeout = 2 Wed May 12 10:53:52 2010 us=390000 renegotiate_bytes = 0 Wed May 12 10:53:52 2010 us=390000 renegotiate_packets = 0 Wed May 12 10:53:52 2010 us=390000 renegotiate_seconds = 3600 Wed May 12 10:53:52 2010 us=390000 handshake_window = 60 Wed May 12 10:53:52 2010 us=390000 transition_window = 3600 Wed May 12 10:53:52 2010 us=390000 single_session = DISABLED Wed May 12 10:53:52 2010 us=390000 tls_exit = DISABLED Wed May 12 10:53:52 2010 us=390000 tls_auth_file = 'pfsense2-udp-1194-tls.key' Wed May 12 10:53:52 2010 us=390000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_protected_authentication = DISABLED Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=406000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=437000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=437000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=437000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=437000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=437000 pkcs11_private_mode = 00000000 Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_cert_private = DISABLED Wed May 12 10:53:52 2010 us=437000 pkcs11_pin_cache_period = -1 Wed May 12 10:53:52 2010 us=437000 pkcs11_id = '[UNDEF]' Wed May 12 10:53:52 2010 us=437000 pkcs11_id_management = DISABLED Wed May 12 10:53:52 2010 us=437000 server_network = 0.0.0.0 Wed May 12 10:53:52 2010 us=437000 server_netmask = 0.0.0.0 Wed May 12 10:53:52 2010 us=437000 server_bridge_ip = 0.0.0.0 Wed May 12 10:53:52 2010 us=437000 server_bridge_netmask = 0.0.0.0 Wed May 12 10:53:52 2010 us=437000 server_bridge_pool_start = 0.0.0.0 Wed May 12 10:53:52 2010 us=500000 server_bridge_pool_end = 0.0.0.0 Wed May 12 10:53:52 2010 us=500000 ifconfig_pool_defined = DISABLED Wed May 12 10:53:52 2010 us=500000 ifconfig_pool_start = 0.0.0.0 Wed May 12 10:53:52 2010 us=500000 ifconfig_pool_end = 0.0.0.0 Wed May 12 10:53:52 2010 us=500000 ifconfig_pool_netmask = 0.0.0.0 Wed May 12 10:53:52 2010 us=500000 ifconfig_pool_persist_filename = '[UNDEF]' Wed May 12 10:53:52 2010 us=500000 ifconfig_pool_persist_refresh_freq = 600 Wed May 12 10:53:52 2010 us=500000 n_bcast_buf = 256 Wed May 12 10:53:52 2010 us=500000 tcp_queue_limit = 64 Wed May 12 10:53:52 2010 us=500000 real_hash_size = 256 Wed May 12 10:53:52 2010 us=500000 virtual_hash_size = 256 Wed May 12 10:53:52 2010 us=500000 client_connect_script = '[UNDEF]' Wed May 12 10:53:52 2010 us=500000 learn_address_script = '[UNDEF]' Wed May 12 10:53:52 2010 us=500000 client_disconnect_script = '[UNDEF]' Wed May 12 10:53:52 2010 us=500000 client_config_dir = '[UNDEF]' Wed May 12 10:53:52 2010 us=500000 ccd_exclusive = DISABLED Wed May 12 10:53:52 2010 us=500000 tmp_dir = '[UNDEF]' Wed May 12 10:53:52 2010 us=500000 push_ifconfig_defined = DISABLED Wed May 12 10:53:52 2010 us=500000 push_ifconfig_local = 0.0.0.0 Wed May 12 10:53:52 2010 us=500000 push_ifconfig_remote_netmask = 0.0.0.0 Wed May 12 10:53:52 2010 us=500000 enable_c2c = DISABLED Wed May 12 10:53:52 2010 us=500000 duplicate_cn = DISABLED Wed May 12 10:53:52 2010 us=500000 cf_max = 0 Wed May 12 10:53:52 2010 us=500000 cf_per = 0 Wed May 12 10:53:52 2010 us=500000 max_clients = 1024 Wed May 12 10:53:52 2010 us=500000 max_routes_per_client = 256 Wed May 12 10:53:52 2010 us=500000 auth_user_pass_verify_script = '[UNDEF]' Wed May 12 10:53:52 2010 us=500000 auth_user_pass_verify_script_via_file = DISABLED Wed May 12 10:53:52 2010 us=500000 ssl_flags = 0 Wed May 12 10:53:52 2010 us=515000 client = ENABLED Wed May 12 10:53:52 2010 us=515000 pull = ENABLED Wed May 12 10:53:52 2010 us=515000 auth_user_pass_file = 'stdin' Wed May 12 10:53:52 2010 us=515000 show_net_up = DISABLED Wed May 12 10:53:52 2010 us=515000 route_method = 0 Wed May 12 10:53:52 2010 us=515000 ip_win32_defined = DISABLED Wed May 12 10:53:52 2010 us=515000 ip_win32_type = 3 Wed May 12 10:53:52 2010 us=515000 dhcp_masq_offset = 0 Wed May 12 10:53:52 2010 us=515000 dhcp_lease_time = 31536000 Wed May 12 10:53:52 2010 us=515000 tap_sleep = 0 Wed May 12 10:53:52 2010 us=515000 dhcp_options = DISABLED Wed May 12 10:53:52 2010 us=515000 dhcp_renew = DISABLED Wed May 12 10:53:52 2010 us=515000 dhcp_pre_release = DISABLED Wed May 12 10:53:52 2010 us=515000 dhcp_release = DISABLED Wed May 12 10:53:52 2010 us=515000 domain = '[UNDEF]' Wed May 12 10:53:52 2010 us=515000 netbios_scope = '[UNDEF]' Wed May 12 10:53:52 2010 us=531000 netbios_node_type = 0 Wed May 12 10:53:52 2010 us=531000 disable_nbt = DISABLED Wed May 12 10:53:52 2010 us=531000 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009 Wed May 12 10:53:57 2010 us=390000 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Wed May 12 10:53:57 2010 us=390000 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed May 12 10:53:57 2010 us=390000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed May 12 10:53:57 2010 us=500000 Control Channel Authentication: using 'pfsense2-udp-1194-tls.key' as a OpenVPN static key file Wed May 12 10:53:57 2010 us=500000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed May 12 10:53:57 2010 us=500000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed May 12 10:53:57 2010 us=500000 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ] Wed May 12 10:53:57 2010 us=500000 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] Wed May 12 10:53:57 2010 us=500000 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Wed May 12 10:53:57 2010 us=500000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Wed May 12 10:53:57 2010 us=500000 Local Options hash (VER=V4): '0f816d6e' Wed May 12 10:53:57 2010 us=500000 Expected Remote Options hash (VER=V4): '2f3e190a' Wed May 12 10:53:57 2010 us=500000 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed May 12 10:53:57 2010 us=500000 UDPv4 link local (bound): [undef]:1194 Wed May 12 10:53:57 2010 us=500000 UDPv4 link remote: 174.34.67.44:1194 Wed May 12 10:53:57 2010 us=515000 TLS: Initial packet from 174.34.67.44:1194, sid=916d48dd 8b5392d6 Wed May 12 10:53:57 2010 us=515000 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed May 12 10:53:57 2010 us=640000 VERIFY OK: depth=1, /C=US/ST=California/L=Camarillo/O=Zindagi_Games__Inc./emailAddress=it@x.com/CN=ZGopenVPN Wed May 12 10:53:57 2010 us=640000 VERIFY OK: depth=0, /C=US/ST=California/L=Camarillo/O=Zindagi_Games__Inc./emailAddress=it@x.com/CN=ZGopenVPNsvr Wed May 12 10:53:58 2010 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed May 12 10:53:58 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed May 12 10:53:58 2010 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed May 12 10:53:58 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed May 12 10:53:58 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Wed May 12 10:53:58 2010 [ZGopenVPNsvr] Peer Connection Initiated with 174.34.67.44:1194 Wed May 12 10:54:00 2010 us=62000 SENT CONTROL [ZGopenVPNsvr]: 'PUSH_REQUEST' (status=1) Wed May 12 10:54:02 2010 us=250000 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.0.0,dhcp-option DOMAIN zg.com,dhcp-option DNS 172.16.0.5,dhcp-option DNS 172.16.0.6,dhcp-option NTP ,route 10.1.0.0 255.255.0.0,topology net30,ping 10,ping-restart 60,ifconfig 10.1.0.6 10.1.0.5' Wed May 12 10:54:02 2010 us=250000 Options error: --dhcp-option: unknown option type 'NTP' or missing parameter Wed May 12 10:54:02 2010 us=250000 OPTIONS IMPORT: timers and/or timeouts modified Wed May 12 10:54:02 2010 us=250000 OPTIONS IMPORT: --ifconfig/up options modified Wed May 12 10:54:02 2010 us=250000 OPTIONS IMPORT: route options modified Wed May 12 10:54:02 2010 us=250000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed May 12 10:54:02 2010 us=265000 ROUTE default_gateway=192.168.1.1 Wed May 12 10:54:02 2010 us=265000 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{82AF9C78-941C-475F-A6A7-12D2C26C1449}.tap Wed May 12 10:54:02 2010 us=265000 TAP-Win32 Driver Version 9.6 Wed May 12 10:54:02 2010 us=265000 TAP-Win32 MTU=1500 Wed May 12 10:54:02 2010 us=265000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.0.6/255.255.255.252 on interface {82AF9C78-941C-475F-A6A7-12D2C26C1449} [DHCP-serv: 10.1.0.5, lease-time: 31536000] Wed May 12 10:54:02 2010 us=265000 DHCP option string: 0f067a67 2e636f6d 0608ac10 0005ac10 0006 Wed May 12 10:54:02 2010 us=265000 Successful ARP Flush on interface [2] {82AF9C78-941C-475F-A6A7-12D2C26C1449} Wed May 12 10:54:07 2010 us=296000 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up Wed May 12 10:54:07 2010 us=296000 C:\WINDOWS\system32\route.exe ADD 172.16.0.0 MASK 255.255.0.0 10.1.0.5 Wed May 12 10:54:07 2010 us=296000 Route addition via IPAPI succeeded [adaptive] Wed May 12 10:54:07 2010 us=296000 C:\WINDOWS\system32\route.exe ADD 10.1.0.0 MASK 255.255.0.0 10.1.0.5 Wed May 12 10:54:07 2010 us=296000 Route addition via IPAPI succeeded [adaptive] Wed May 12 10:54:07 2010 us=296000 Initialization Sequence Completed On the client I manually changed the dns servers of the openVPN interface to match the internal lan IP of pfsense and added a couple of test dns entries to the DNS forwarder on the pfsense gui, and the client gets those names, but here's a tracert on one of them - [code] C:\Documents and Settings\Administrator>tracert perforce Tracing route to perforce.zg.com [172.16.0.100] over a maximum of 30 hops: 1 14 ms 16 ms 18 ms 10.1.0.1 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out.[/code] so it's able to get the DNS record from the pfsense box when that is set as a DNS provider, but when I have the DNS provider set as one of my internal DNS servers, nothing. Seems like nothing is getting past the pfsense box.[/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
-
also, I can ping the pfsense LAN address from the ovpn client (a windows server 2003 box running at my house, just convenient because I can remote desktop into it to get this openvpn config working)
and I can also connect to the webGUI on the pfsense box from that client.
just seems anything past the pfsense box does not work.
-
Is the pfSense box the gateway for the devices on LAN?
-
Is the pfSense box the gateway for the devices on LAN?
no, at the moment I have this box setup along side our main gateway.
all LAN devices gateway is 172.16.0.1
this test box is 172.16.0.2
-
Then that is why they can't get back. The traffic is going back to their gateway, not the pfSense box.
So you can either:
- Change their gateway to the pfsense test box
- Put a static route for the client subnet (tunnel network) in the main router that will route that traffic to your test box's LAN IP.
-
ahhh sonufa….
I changed the gateway on my PC here and sure enough I'm able to ping it from the openvpn client.
thanks that does make sense, didn't even think about that, so I'll chock this up as a successful test config.
-
yeah, welcome to the dark art of OpenVPN's builtin routing table mangler! It took me nearly a week to figure out exactly what it was doing when I did the loadbalancing thing, but once you've got the hang of it, you can get OpenVPN to do the dirty work above and beyond its call of duty of just setting up an encrypted tunnel for you.
As a basic crash course, for every tunnel, OVPN creates 2 gateways for each connection. In your case the local end of the tunnel is 10.1.0.6 and the server end of the tunnel is 10.1.0.5 (this is what 'topology net30' does in the PUSH REPLY message). The server then needs to hint to the client what the actual gateway is which also has to be in the 10.1.0.0/16 network (I assume this 10.1.0.1?), so it sets up a second gateway via a static route to 10.1.0.1 through 10.1.0.5. To route to 172.16.0.1 you need to add a third static route to the client so that it knows to send stuff to 172.16.0.0/12 through 10.1.0.1.
Thankfully OVPN can do this for you and manage for the lifetime of the tunnel, so add:
push "route 172.16.0.1 255.240.0.0 10.1.0.1"
to the advanced box in the server page so that the client then pulls this and sets up the route.
Force all client generated traffic through the tunnel' box on the server (equivalent to adding 'push "redirect-gateway def1"' to the server conf), and it will setup a further load of routes that overrides the 0.0.0.0 default network and pass all traffic through the tunnel.