Nat & routing on OPENVPN

stemond

Hey NG,

i don't know if here the best NG for my problem,
I am new at PFsense. I am planning my Remote Access to office by OPENVPN.
The tunnel comes up. i can ping local interface of PFSENSE firewall but i can't routing LAN server.
This is my situation

LAPTOPS(192.168.19.0/24)–WAN -- ROUTER -- PFSENSE (STATIC NAT with public IP) --  SERVERS LANS (192.168.126.0/24)

i added routing rules on servers lans but i don't route  :(
I tested with tcpdump on Pfsense and packets arrive but don't routing
Can you hint me where is the problem ?

With IPSEC VPN all works....
Thanks to all
Stefano

Hypnus

Hello,
I kind of have the same problem but with a spin:

• pfSense at one office (office 1) with OpenVPN server and one at another office (office 2) with OpenVPN client set (OVPN from site to site)
  I can ping the office 2 pfSense but I cannot access the LAN behind it but the other way around works, so from the office 2 LAN i can access the office 1 LAN

Does anyone has an idea about it.
I'm also kind of new to pfSense so I mite have made a silly mistake in the configuration but I cannot see what.

Thank you in advance.

torontob

Can you guys post your configuration on both server and client side?

Hypnus

Hi, yes i will but i'll need a bit of time to get all the infos from the configuration.
Thank you very much for your interest in our problem.

OK the information on the 2 firewalls and the network:
** They are linked with a Site-to-Site VPN, and a MS Domain is working through it (not sure if this is important)

1. The main Firewall:
      - 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.3.100/24, Disable the userland FTP-Proxy application)
      - Firewall: only configured rules as:
          LAN: pass (there was a second network but it is no longer so this is kind of useless)

| * | LAN net | * | 192.168.1.0/24 | * | * | | to 192.168.1.x |
| * | 192.168.1.0/24 | * | * | * | * | | 192.168.1.x subnet |
| * | LAN net | * | * | * | * | | Default LAN -> any   |

WAN: pass

| * | * | * | * | * | * | | pass in all test rule |
| TCP/UDP | * | * | * | 443 (HTTPS) | * | | Allow TCP/UDP to OpenVPN Server Port |
| TCP/UDP | * | * | * | 1191 | * | | Allow TCP/UDP to OpenVPN Server Port |

PPTP VPN: pass

| * | PPTP clients | * | * | * | * | | allows incoming PPTP   |

IPSEC: pass

| * | * | * | * | * | * | | Permit IPSEC |

• Services: default
  Enable DHCP server on LAN interface: FALSE
  Subnet 192.168.3.0
  Subnet mask 255.255.255.0
  Available range: (192.168.3.0 - 192.168.3.255 ) - default readonly

• VPN:

• IPsec
  Tunnels: Enabled IPsec
  Mobile clients: Allow mobile clients:FALSE (basic config)
• PPTP: Enabled PPTP server
  Server address : xx.xx.xx.xx
  Remote address range: 192.168.50.x/28
  ….
  WINS server: 192.168.3.128
• OpenVPN : Server
  1. No TCP 192.168.10.0/24 ovpn
  ** For external connections via OpenVPN client application
  Protocol: TCP
  Dymanic IP : true
  Local port: 443
  Address pool: 192.168.10.0/24
  Local network: 192.168.3.0/24

Cryptography: BF-CBC(128bit)
Authentication method: PKI

DHCP-Opt.: DNS-Server: 192.168.3.128

Custom options:push "dhcp-option DNS 192.168.3.128";push "dhcp-option DNS 192.168.3.129";push "dhcp-option WINS 192.168.3.128"; push "route 192.168.9.0 255.255.255.0";

2. No TCP 192.168.11.0/24 Office 2 Server
Protocol: TCP
Dymanic IP : true
Local port: 1191
Address pool: 192.168.11.0/24
Remote network: 192.168.9.0/24

Cryptography: BF-CBC(128bit)
Authentication method: Shared key

DHCP-Opt.: NetBIOS node type: none

LZO compression: true

Description: Office 2

ALL THE REST THAT ARE NOT DISPLAYED EITHER ARE NOT SET OR DISABLED

2. The client, office 2, Firewall:

• System: there are 4 static routes, like 160.58.134.x, which point to the office 1 firewall 192.168.3.100
     - 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.9.100/24, Disable the userland FTP-Proxy application)
     - Firewall: only configured rules as:
         LAN: nothing
  WAN: pass

| TCP/UDP | * | * | * | 1191 | * | | Tunnel |

• Services: default
  Enable DHCP server on LAN interface: TRUE
  Subnet 192.168.9.0
  Subnet mask 255.255.255.0
  Available range 192.168.9.0 - 192.168.9.255

• VPN:

• IPsec
  Tunnels: Enabled IPsec: FALSE (not enabled)
• PPTP: Off
• OpenVPN : Client
  No Firewall_1_WAN_IP TCP  Tunnel Connection 2 Office 1
  Protocol: TCP
  Server address : Firewall_1_WAN_IP (xx.xx.xx.xx)
  Server port: 1191
  Interface IP: 192.168.11.0/24
  Remote network: 192.168.3.0/24

Proxy port: 3128

Cryptography: BF-CBC(128bit)
Authentication method: Shared key

LZO compression: true

Description: Tunnel 2 Office 1

The rest is common configuration, default.
So there is the office 1 network and the office 2 network, and then there are the ones for Site-to-Site VPN (192.168.11.x) and the one for the exterior VPN connection (192.168.10.x) - in which the clients can see each other even if they are in Office 1 or Office 2, what and where should I add a routing for the Office 1 to see the Office 2 clients?

Note: No client from the office 1 can access the network at office 2 and no client from the office 2 can access its network mates if they have activated the OpenVPN Client App (which connects to the Office 1 VPN 1)

Thank you very much